Thaum kawg ntawm lub Tsib Hlis, peb tau pom ib qho kev sib tw faib cov malware Remote Access Trojan (RAT) - cov kev pab cuam uas tso cai rau cov neeg tawm tsam tswj hwm lub kaw lus muaj kab mob nyob deb.
Pawg neeg uas peb tab tom tshawb nrhiav no tsis tau tsom mus rau ib tsev neeg RAT tshwj xeeb. Muaj ntau tus Trojans (txhua tus muaj dav dav) tau pom thaum lub sijhawm ua tsov rog. Tus cwj pwm no ua rau peb nco txog Rat King, ib tug tsiaj dab neeg uas muaj cov nas uas muaj tus Tsov tus tw sib txuas.
Tus thawj yog coj los ntawm cov monograph los ntawm K. N. Rossikov "Nas thiab nas zoo li nas, qhov tseem ceeb tshaj plaws hauv kev lag luam" (1908)
Peb tau muab lub npe rau pawg neeg uas peb tab tom tshawb nrhiav RATKing los ua kev hwm rau tus tsiaj no. Hauv tsab ntawv no, peb yuav piav qhia txog cov neeg tawm tsam tau ua qhov kev tawm tsam li cas, cov cuab yeej uas lawv siv, thiab qhia peb cov kev xav txog kev ua pov thawj.
Lub sijhawm ntawm kev tawm tsam
Txhua qhov kev tawm tsam hauv qhov kev sib tw no tau ua raws li cov algorithm hauv qab no:
- Tus neeg siv tau txais email phishing nrog qhov txuas mus rau Google Drive.
- Qhov txuas no tso cai rau tus neeg raug tsim txom rub tawm ib tsab ntawv VBS phem uas yuav sau ib lub tsev qiv ntawv DLL rau kev thauj cov ntaub ntawv kawg rau hauv Windows registry thiab tso PowerShell kom ua tiav nws.
- Lub DLL tau txhaj cov payload kawg - ib qho ntawm cov RATs siv los ntawm cov neeg tawm tsam - rau hauv cov txheej txheem system thiab ntxiv VBS script rau hauv qhov pib kom tau txais kev taw qhia ntawm lub tshuab kis kab mob.
- Qhov payload kawg tau raug tua nyob rau hauv ib qho txheej txheem system thiab muab rau tus neeg tawm tsam lub peev xwm los tswj lub khoos phis tawj uas muaj kab mob.
Schematically nws tuaj yeem sawv cev zoo li no:
Hauv qab no, peb yuav tsom mus rau peb theem thawj zaug, vim peb xav paub txog cov txheej txheem xa tawm malware. Peb yuav tsis piav qhia txog cov malware nws tus kheej kom meej. Nws muaj ntau yam - muag rau ntawm cov rooj sib tham tshwj xeeb lossis faib ua cov haujlwm qhib - thiab yog li ntawd tsis yog tshwj xeeb rau pawg RATKing.
Kev tshuaj xyuas cov theem ntawm kev tawm tsam
Theem 1. Email Phishing
Qhov kev tawm tsam pib nrog tus neeg raug tsim txom tau txais email phem (cov neeg tawm tsam siv cov qauv sib txawv; daim duab hauv qab no qhia ib qho piv txwv). Cov lus muaj qhov txuas mus rau qhov chaw khaws cia raug cai. drive.google.com, uas raug liam tias ua rau muaj ib nplooj ntawv rau rub tawm daim ntawv PDF.
Piv txwv ntawm email phishing
Txawm li cas los xij, qhov tseeb, nws tsis yog daim ntawv PDF uas tau rub tawm, tab sis yog VBS script.
Thaum nias rau ntawm qhov txuas los ntawm email hauv daim duab saum toj no, ib daim ntawv hu ua Cargo Flight Details.vbsHauv qhov xwm txheej no, cov neeg tawm tsam tsis tau sim zais cov ntaub ntawv ua daim ntawv raug cai.
Tib lub sijhawm ntawd, ua ib feem ntawm txoj kev sib tw no, peb tau tshawb pom ib tsab ntawv sau npe hu ua Cargo Trip Detail.pdf.vbsNws yeej yuav dhau los ua PDF raug cai lawm, vim tias Windows zais cov ntaub ntawv txuas ntxiv los ntawm lub neej ntawd. Txawm li cas los xij, hauv qhov no, nws lub cim, uas zoo li tsab ntawv VBS, tseem tuaj yeem ua rau muaj kev tsis ntseeg.
Tam sim no, tus neeg raug tsim txom yuav paub qhov kev dag ntxias: tsuas yog siv sijhawm ib pliag los saib ze rau cov ntaub ntawv rub tawm. Txawm li cas los xij, hauv cov phiaj xwm phishing no, cov neeg tawm tsam feem ntau ua phem rau cov neeg siv tsis quav ntsej lossis maj nrawm.
Kauj Ruam 2. Khiav VBS script
Ib tsab ntawv VBS, uas tus neeg siv yuav qhib tsis tau, tau sau ib daim DLL rau hauv Windows registry. Tsab ntawv no tau raug zais cia: nws cov hlua tau sau ua cov bytes sib cais los ntawm cov cim tsis raug cai.
Ib qho piv txwv ntawm ib daim ntawv sau tsis meej
Tus txheej txheem deobfuscation yooj yim heev: txhua tus cim thib peb raug tshem tawm ntawm cov hlua obfuscated, tom qab ntawd qhov tshwm sim tau decoded los ntawm base16 mus rau hauv cov hlua thawj. Piv txwv li, los ntawm tus nqi 57Q53s63t72s69J70r74e2El53v68m65j6CH6Ct (qhia meej hauv daim duab saum toj no) cov hlua uas tau tshwm sim yog WScript.Shell.
Yuav kom tshem tawm cov hlua, peb siv Python function:
def decode_str(data_enc):
return binascii.unhexlify(''.join([data_enc[i:i+2] for i in range(0, len(data_enc), 3)]))Hauv qab no, ntawm kab 9–10, tus nqi uas, thaum deobfuscated, tau muab cov ntaub ntawv DLL tso rau hauv. Qhov no yog cov ntaub ntawv DLL uas tau khiav hauv kauj ruam tom ntej siv PowerShell.
Kab nrog DLL uas tsis meej
Txhua txoj haujlwm hauv VBS tsab ntawv tau ua tiav thaum cov hlua tau raug tshem tawm qhov tsis meej.
Tom qab khiav cov ntawv sau, lub luag haujlwm tau raug hu ua wscript.sleep — nrog nws txoj kev pab, kev ncua kev ua tiav tau ua tiav.
Cov ntawv sau ces nkag mus rau hauv Windows registry siv WMI technology. Nws tsim ib tus yuam sij tshwj xeeb, thiab lub cev ntawm cov ntaub ntawv executable tau sau rau nws cov parameter. Lub registry tau nkag mus rau hauv los ntawm WMI siv cov lus txib hauv qab no:
GetObject(winmgmts {impersonationLevel=impersonate}!\.rootdefault:StdRegProv) 
Ib daim ntawv nkag mus rau hauv lub npe sau los ntawm VBS script
Kauj Ruam 3. Kev khiav DLL
Hauv theem thib peb, tus DLL phem tau rub tawm qhov payload kawg, txhaj rau hauv cov txheej txheem system, thiab xyuas kom meej tias VBS script yuav khiav tau thaum tus neeg siv nkag mus.
Khiav los ntawm PowerShell
DLL tau ua tiav los ntawm kev siv cov lus txib hauv qab no hauv PowerShell:
[System.Threading.Thread]::GetDomain().Load((ItemProperty HKCU:///Software///<rnd_sub_key_name> ).<rnd_value_name>);
[GUyyvmzVhebFCw]::EhwwK('WScript.ScriptFullName', 'rWZlgEtiZr', 'WScript.ScriptName'),0Cov lus txib no tau ua cov hauv qab no:
- tau txais cov ntaub ntawv sau npe nrog lub npe
rnd_value_name— cov ntaub ntawv no yog cov ntaub ntawv DLL sau rau ntawm lub platform .Net; - tau thauj cov module .Net uas tau tshwm sim rau hauv lub cim xeeb txheej txheem
powershell.exesiv lub luag haujlwm[System.Threading.Thread]::GetDomain().Load()(piav qhia txog qhov Load() function ); - tau ua haujlwm
GUyyvmzVhebFCw]::EhwwK()— qhov kev ua tiav ntawm lub tsev qiv ntawv DLL pib nrog nws — nrog cov kev teeb tsavbsScriptPath,xorKey,vbsScriptName. ParameterxorKeykhaws cia tus yuam sij los decrypt qhov payload kawg, thiab cov parametersvbsScriptPathиvbsScriptNametau raug xa mus rau lwm qhov kom sau npe rau VBS script hauv startup.
Kev piav qhia ntawm lub tsev qiv ntawv DLL
Thaum decompiled, lub bootloader zoo li no:
Tus loader nyob rau hauv daim ntawv decompiled (lub function uas DLL library execution pib yog underlined liab)
Lub bootloader raug tiv thaiv los ntawm .Net Reactor. Lub de4dot utility zoo heev rau kev tshem tawm cov tiv thaiv no.
Cov bootloader no:
- txhaj cov payload rau hauv ib qho txheej txheem system (hauv qhov piv txwv no nws yog
svchost.exe); - Kuv tau sau npe ib tsab ntawv VBS hauv qhov pib.
Kev txhaj tshuaj payload
Cia peb saib cov haujlwm uas PowerShell script hu ua.
Ib qho function uas raug hu los ntawm PowerShell script
Lub luag haujlwm no tau ua cov haujlwm hauv qab no:
- decrypted ob lub ntaub ntawv arrays (
arrayиarray2(hauv daim duab thaij). Lawv tau raug nias thawj zaug nrog gzip thiab encrypted nrog XOR algorithm nrog tus yuam sijxorKey; - cov ntaub ntawv tau theej rau hauv cov chaw nco uas tau muab faib. Cov ntaub ntawv los ntawm
array— mus rau thaj chaw nco uas tau taw qhia rauintPtr(payload pointernyob rau hauv lub screenshot); cov ntaub ntawv los ntawmarray2— mus rau thaj chaw nco uas tau taw qhia rauintPtr2(shellcode pointerhauv daim duab thaij); - hu ua lub luag haujlwm
CallWindowProcA( Cov haujlwm no muaj nyob rau ntawm lub vev xaib Microsoft) nrog cov kev teeb tsa hauv qab no (cov npe parameter tau teev hauv qab no, hauv daim duab lawv nyob rau hauv tib qho kev txiav txim, tab sis nrog cov nqi ua haujlwm):lpPrevWndFunc- tus taw qhia rau cov ntaub ntawv los ntawmarray2;hWnd- tus pointer rau ib txoj hlua uas muaj txoj kev mus rau cov ntaub ntawv executablesvchost.exe;Msg- tus taw qhia rau cov ntaub ntawv los ntawmarray;wParam,lParam— cov lus tsis sib xws (hauv qhov no cov kev tsis sib xws no tsis tau siv thiab muaj tus nqi 0);
- tsim ib daim ntawv
%AppData%MicrosoftWindowsStart MenuProgramsStartup<name>.urlqhov twg<name>- cov no yog 4 tus cim thawj zaug ntawm qhov parametervbsScriptName(hauv daim duab screenshot, daim code fragment nrog qhov kev nqis tes ua no pib nrog cov lus txibFile.Copy). Yog li ntawd, tus malware ntxiv ib daim ntawv URL rau hauv daim ntawv teev cov ntaub ntawv kom khiav tau thaum tus neeg siv nkag mus, yog li ntawd tsim kom muaj nyob mus tas li ntawm lub khoos phis tawj uas muaj kab mob. Cov ntaub ntawv URL muaj qhov txuas mus rau ib daim ntawv sau:
[InternetShortcut]
URL = file : ///<vbsScriptPath>
Yuav kom nkag siab txog qhov kev txhaj tshuaj tau ua tiav li cas, peb tau txhais cov ntaub ntawv arrays array и array2Rau qhov no peb siv cov haujlwm Python hauv qab no:
def decrypt(data, key):
return gzip.decompress(
bytearray([data[i] ^ key[i % len(key)] for i in range(len(data))])[4:])
Yog li ntawd, peb pom tias:
arrayyog ib daim ntawv PE - qhov no yog qhov payload kawg;array2sawv cev rau lub shellcode uas xav tau los ua qhov kev txhaj tshuaj.
Shellcode los ntawm ib qho array array2 tau dhau los ua tus nqi ntawm kev ua haujlwm lpPrevWndFunc mus rau hauv ib qho kev ua haujlwm CallWindowProcA. lpPrevWndFunc — ib qho callback function, nws cov qauv zoo li no:
LRESULT WndFunc(
HWND hWnd,
UINT Msg,
WPARAM wParam,
LPARAM lParam
);
Yog li thaum koj khiav lub function CallWindowProcA nrog cov kev cai hWnd, Msg, wParam, lParam shellcode los ntawm array raug ua tiav array2 nrog cov lus sib cav hWnd и Msg. hWnd - yog tus pointer rau ib txoj hlua uas muaj txoj kev mus rau cov ntaub ntawv executable svchost.exethiab Msg - tus taw qhia rau qhov kawg payload.
Lub shellcode tau txais cov chaw nyob ua haujlwm los ntawm kernel32.dll и ntdll32.dll raws li cov nqi hash los ntawm lawv cov npe thiab txhaj cov payload kawg rau hauv lub cim xeeb ntawm cov txheej txheem svchost.exe, siv cov txheej txheem Process Hollowing (koj tuaj yeem nyeem txog nws kom ntxaws hauv qhov no ). Thaum txhaj cov lej plhaub:
- tsim cov txheej txheem
svchost.exenyob rau hauv lub xeev raug ncua siv lub luag haujlwmCreateProcessW; - tom qab ntawd zais qhov kev tso saib ntawm seem hauv qhov chaw nyob ntawm tus txheej txheem
svchost.exesiv lub luag haujlwmNtUnmapViewOfSectionUa li no, qhov kev pab cuam tau tso lub cim xeeb ntawm cov txheej txheem thawj.svchost.exe, txhawm rau faib lub cim xeeb rau qhov payload ntawm qhov chaw nyob no; - lub cim xeeb tau muab faib rau qhov payload hauv qhov chaw nyob ntawm tus txheej txheem
svchost.exesiv lub luag haujlwmVirtualAllocEx;
Pib ntawm cov txheej txheem txhaj tshuaj
- sau cov ntsiab lus ntawm qhov payload rau hauv qhov chaw nyob ntawm tus txheej txheem
svchost.exesiv lub luag haujlwmWriteProcessMemory(zoo li nyob rau hauv lub screenshot hauv qab no); - rov pib ua cov txheej txheem
svchost.exesiv lub luag haujlwmResumeThread.
Ua tiav cov txheej txheem txhaj tshuaj
Cov malware uas rub tawm tau
Vim yog cov kev ua uas tau piav qhia, ib qho ntawm ntau qhov kev pab cuam malware RAT-class tau raug ntsia rau ntawm lub cev uas muaj kab mob. Lub rooj hauv qab no teev cov malware siv hauv kev tawm tsam, uas peb tuaj yeem ntseeg siab tias yog ib pawg neeg tawm tsam, vim tias cov qauv nkag mus rau tib lub server hais kom ua thiab tswj.
Lub npe ntawm VPO
Thawj zaug pom
SHA-256
C&C
Cov txheej txheem uas txhaj tshuaj
Txoj Kev Dub
16-04-2020
ea64fe672c953adc19553ea3b9118ce4ee88a14d92fc7e75aa04972848472702
kimjoy007.dyndns[.]org:2017
svchost
parallax
24-04-2020
b4ecd8dbbceaadd482f1b23b712bcddc5464bccaac11fe78ea5fd0ba932a4043
kimjoy007.dyndns[.]org:2019
svchost
Thaj Chaw Ua Rog
18-05-2020
3786324ce3f8c1ea3784e5389f84234f81828658b22b8a502b7d48866f5aa3d3
kimjoy007.dyndns[.]org:9933
svchost
Netwire
20-05-2020
6dac218f741b022f5cad3b5ee01dbda80693f7045b42a0c70335d8a729002f2d
kimjoy007.dyndns[.]org:2000
svchost
Piv txwv ntawm cov malware faib tawm nrog tib lub server tswj hwm
Muaj ob yam uas yuav tsum nco ntsoov ntawm no.
Ua ntej, qhov tseeb tias cov neeg tawm tsam siv ntau tsev neeg RAT sib txawv tib lub sijhawm. Tus cwj pwm no tsis tshua muaj rau cov pab pawg neeg ua txhaum cai cyber uas paub zoo, uas feem ntau siv cov cuab yeej zoo sib xws.
Qhov thib ob, RATKing siv malware uas yog muag rau ntawm cov rooj sib tham tshwj xeeb rau tus nqi me me lossis yog qhov qhib-qhov project.
Daim ntawv teev cov malware uas siv rau hauv kev sib tw - nrog rau ib qho tseem ceeb - tau muab rau thaum kawg ntawm tsab xov xwm.
Txog pawg neeg
Peb tsis tuaj yeem muab qhov kev tawm tsam phem uas tau piav qhia no rau ib tus neeg ua phem uas paub lawm. Tam sim no peb ntseeg tias cov kev tawm tsam no tau ua los ntawm ib pawg neeg tshiab. Raws li peb tau sau thaum pib, peb tau hu nws ua RATKing.
Yuav tsim cov ntawv VBS, pawg neeg yuav siv cov cuab yeej zoo ib yam li cov cuab yeej siv los ntawm tus tsim tawm Qhov no qhia tau los ntawm qhov zoo sib xws ntawm tsab ntawv sau uas tsim los ntawm qhov kev pab cuam no thiab tsab ntawv sau ntawm cov neeg tawm tsam. Tshwj xeeb, lawv ob leeg:
- ua qhov kev ua tiav qeeb siv cov haujlwm
Sleep; - siv WMI;
- sau npe lub cev ntawm cov ntaub ntawv executable ua tus parameter registry key;
- ua cov ntaub ntawv no siv PowerShell hauv nws qhov chaw nyob.
Rau qhov meej meej, piv cov lus txib PowerShell rau kev khiav cov ntaub ntawv los ntawm lub npe sau npe, uas yog siv los ntawm tsab ntawv sau tsim nrog VBS-Crypter:
((Get-ItemPropertyHKCU:SoftwareNYANxCAT).NYANxCAT);$text=-join$text[-1..-$text.Length];[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String($text)).EntryPoint.Invoke($Null,$Null);nrog rau ib qho lus txib zoo sib xws rau qhov uas siv los ntawm cov neeg tawm tsam cov ntawv sau:
[System.Threading.Thread]::GetDomain().Load((ItemProperty HKCU:///Software///<rnd_sub_key_name> ).<rnd_value_name>);
[GUyyvmzVhebFCw]::EhwwK('WScript.ScriptFullName', 'rWZlgEtiZr', 'WScript.ScriptName'),0
Nco ntsoov tias cov neeg tawm tsam siv lwm yam khoom siv los ntawm NYAN-x-CAT ua ib qho ntawm cov payloads - .
Cov chaw nyob ntawm C&C servers qhia txog lwm qhov tshwj xeeb ntawm RATKing: pawg neeg nyiam cov kev pabcuam DNS dynamic (saib daim ntawv teev npe ntawm C&Cs hauv IoC lub rooj).
IoC
Lub rooj hauv qab no muab cov npe tiav ntawm VBS scripts uas yuav muaj feem cuam tshuam nrog rau qhov kev sib tw tau piav qhia. Tag nrho cov scripts no zoo sib xws thiab ua haujlwm zoo ib yam. Lawv txhua tus txhaj tshuaj RAT-class malware rau hauv cov txheej txheem Windows ntseeg siab. Tag nrho lawv muaj C&C chaw nyob sau npe siv Dynamic DNS cov kev pabcuam.
Txawm li cas los xij, peb tsis tuaj yeem hais qhov tseeb tias tag nrho cov ntawv sau no tau muab faib los ntawm tib tus neeg tawm tsam, tsuas yog cov qauv nrog tib C&C chaw nyob (piv txwv li kimjoy007.dyndns.org).
Lub npe ntawm VPO
SHA-256
C&C
Cov txheej txheem uas txhaj tshuaj
parallax
b4ecd8dbbceaadd482f1b23b712bcddc5464bccaac11fe78ea5fd0ba932a4043
kimjoy007.dyndns.org
svchost
00edb8200dfeee3bdd0086c5e8e07c6056d322df913679a9f22a2b00b836fd72
kev cia siab.doomdns.org
svchost
504cbae901c4b3987aa9ba458a230944cb8bd96bbf778ceb54c773b781346146
kimjoy007.dyndns.org
svchost
1487017e087b75ad930baa8b017e8388d1e99c75d26b5d1deec8b80e9333f189
kimjoy007.dyndns.org
svchost
c4160ec3c8ad01539f1c16fb35ed9c8c5a53a8fda8877f0d5e044241ea805891
franco20.dvrdns.org
svchost
515249d6813bb2dde1723d35ee8eb6eeb8775014ca629ede017c3d83a77634ce
kimjoy007.dyndns.org
svchost
1b70f6fee760bcfe0c457f0a85ca451ed66e61f0e340d830f382c5d2f7ab803f
franco20.dvrdns.org
svchost
b2bdffa5853f29c881d7d9bff91b640bc1c90e996f85406be3b36b2500f61aa1
kev cia siab.doomdns.org
svchost
c9745a8f33b3841fe7bfafd21ad4678d46fe6ea6125a8fedfcd2d5aee13f1601
kimjoy007.dyndns.org
svchost
1dfc66968527fbd4c0df2ea34c577a7ce7a2ba9b54ba00be62120cc88035fa65
franco20.dvrdns.org
svchost
c6c05f21e16e488eed3001d0d9dd9c49366779559ad77fcd233de15b1773c981
kimjoy007.dyndns.org
cmd
3b785cdcd69a96902ee62499c25138a70e81f14b6b989a2f81d82239a19a3aed
kev cia siab.doomdns.org
svchost
4d71ceb9d6c53ac356c0f5bdfd1a5b28981061be87e38e077ee3a419e4c476f9
2004para.ddns.net
svchost
00185cc085f284ece264e3263c7771073a65783c250c5fd9afc7a85ed94acc77
kev cia siab.doomdns.org
svchost
0342107c0d2a069100e87ef5415e90fd86b1b1b1c975d0eb04ab1489e198fc78
franco20.dvrdns.org
svchost
de33b7a7b059599dc62337f92ceba644ac7b09f60d06324ecf6177fff06b8d10
kimjoy007.dyndns.org
svchost
80a8114d63606e225e620c64ad8e28c9996caaa9a9e87dd602c8f920c2197007
kimjoy007.dyndns.org
svchost
acb157ba5a48631e1f9f269e6282f042666098614b66129224d213e27c1149bb
kev cia siab.doomdns.org
cmd
bf608318018dc10016b438f851aab719ea0abe6afc166c8aea6b04f2320896d3
franco20.dvrdns.org
svchost
4d0c9b8ad097d35b447d715a815c67ff3d78638b305776cde4d90bfdcb368e38
kev cia siab.doomdns.org
svchost
e7c676f5be41d49296454cd6e4280d89e37f506d84d57b22f0be0d87625568ba
kimjoy007.dyndns.org
svchost
9375d54fcda9c7d65f861dfda698e25710fda75b5ebfc7a238599f4b0d34205f
franco20.dvrdns.org
svchost
128367797fdf3c952831c2472f7a308f345ca04aa67b3f82b945cfea2ae11ce5
kimjoy007.dyndns.org
svchost
09bd720880461cb6e996046c7d6a1c937aa1c99bd19582a562053782600da79d
kev cia siab.doomdns.org
svchost
0a176164d2e1d5e2288881cc2e2d88800801001d03caedd524db365513e11276
paradickhead.homeip.net
svchost
0af5194950187fd7cbd75b1b39aab6e1e78dae7c216d08512755849c6a0d1cbe
kev cia siab.doomdns.org
svchost
Warzone
3786324ce3f8c1ea3784e5389f84234f81828658b22b8a502b7d48866f5aa3d3
kimjoy007.dyndns.org
svchost
db0d5a67a0ced6b2de3ee7d7fc845a34b9d6ca608e5fead7f16c9a640fa659eb
kimjoy007.dyndns.org
svchost
Netwire
6dac218f741b022f5cad3b5ee01dbda80693f7045b42a0c70335d8a729002f2d
kimjoy007.dyndns.org
svchost
Txoj Kev Dub
ea64fe672c953adc19553ea3b9118ce4ee88a14d92fc7e75aa04972848472702
kimjoy007.dyndns.org
svchost
WSH nas tsuag
d410ced15c848825dcf75d30808cde7784e5b208f9a57b0896e828f890faea0e
anekesolution.linkpc.net
RegAsm
Txiv qaub
896604d27d88c75a475b28e88e54104e66f480bcab89cc75b6cdc6b29f8e438b
softmy.duckdns.org
RegAsm
QuasarRAT
bd1e29e9d17edbab41c3634649da5c5d20375f055ccf968c022811cd9624be57
darkhate-23030.portmap.io
RegAsm
12044aa527742282ad5154a4de24e55c9e1fae42ef844ed6f2f890296122153b
darkhate-23030.portmap.io
RegAsm
be93cc77d864dafd7d8c21317722879b65cfbb3297416bde6ca6edbfd8166572
darkhate-23030.portmap.io
RegAsm
933a136f8969707a84a61f711018cd21ee891d5793216e063ac961b5d165f6c0
darkhate-23030.portmap.io
RegAsm
71dea554d93728cce8074dbdb4f63ceb072d4bb644f0718420f780398dafd943
chrom1.myq-see.com
RegAsm
0d344e8d72d752c06dc6a7f3abf2ff7678925fde872756bf78713027e1e332d5
darkhate-23030.portmap.io
RegAsm
0ed7f282fd242c3f2de949650c9253373265e9152c034c7df3f5f91769c6a4eb
darkhate-23030.portmap.io
RegAsm
aabb6759ce408ebfa2cc57702b14adaec933d8e4821abceaef0c1af3263b1bfa
darkhate-23030.portmap.io
RegAsm
1699a37ddcf4769111daf33b7d313cf376f47e92f6b92b2119bd0c860539f745
darkhate-23030.portmap.io
RegAsm
3472597945f3bbf84e735a778fd75c57855bb86aca9b0a4d0e4049817b508c8c
darkhate-23030.portmap.io
RegAsm
809010d8823da84cdbb2c8e6b70be725a6023c381041ebda8b125d1a6a71e9b1
darkhate-23030.portmap.io
RegAsm
4217a2da69f663f1ab42ebac61978014ec4f562501efb2e040db7ebb223a7dff
darkhate-23030.portmap.io
RegAsm
08f34b3088af792a95c49bcb9aa016d4660609409663bf1b51f4c331b87bae00
darkhate-23030.portmap.io
RegAsm
79b4efcce84e9e7a2e85df7b0327406bee0b359ad1445b4f08e390309ea0c90d
darkhate-23030.portmap.io
RegAsm
12ea7ce04e0177a71a551e6d61e4a7916b1709729b2d3e9daf7b1bdd0785f63a
darkhate-23030.portmap.io
RegAsm
d7b8eb42ae35e9cc46744f1285557423f24666db1bde92bf7679f0ce7b389af9
darkhate-23030.portmap.io
RegAsm
def09b0fed3360c457257266cb851fffd8c844bc04a623c210a2efafdf000d5c
darkhate-23030.portmap.io
RegAsm
50119497c5f919a7e816a37178d28906fb3171b07fc869961ef92601ceca4c1c
darkhate-23030.portmap.io
RegAsm
ade5a2f25f603bf4502efa800d3cf5d19d1f0d69499b0f2e9ec7c85c6dd49621
darkhate-23030.portmap.io
RegAsm
189d5813c931889190881ee34749d390e3baa80b2c67b426b10b3666c3cc64b7
darkhate-23030.portmap.io
RegAsm
c3193dd67650723753289a4aebf97d4c72a1afe73c7135bee91c77bdf1517f21
darkhate-23030.portmap.io
RegAsm
a6f814f14698141753fc6fb7850ead9af2ebcb0e32ab99236a733ddb03b9eec2
darkhate-23030.portmap.io
RegAsm
a55116253624641544175a30c956dbd0638b714ff97b9de0e24145720dcfdf74
darkhate-23030.portmap.io
RegAsm
d6e0f0fb460d9108397850169112bd90a372f66d87b028e522184682a825d213
darkhate-23030.portmap.io
RegAsm
522ba6a242c35e2bf8303e99f03a85d867496bbb0572226e226af48cc1461a86
darkhate-23030.portmap.io
RegAsm
fabfdc209b02fe522f81356680db89f8861583da89984c20273904e0cf9f4a02
darkhate-23030.portmap.io
RegAsm
08ec13b7da6e0d645e4508b19ba616e4cf4e0421aa8e26ac7f69e13dc8796691
darkhate-23030.portmap.io
RegAsm
8433c75730578f963556ec99fbc8d97fa63a522cef71933f260f385c76a8ee8d
darkhate-23030.portmap.io
RegAsm
99f6bfd9edb9bf108b11c149dd59346484c7418fc4c455401c15c8ac74b70c74
darkhate-23030.portmap.io
RegAsm
d13520e48f0ff745e31a1dfd6f15ab56c9faecb51f3d5d3d87f6f2e1abe6b5cf
darkhate-23030.portmap.io
RegAsm
9e6978b16bd52fcd9c331839545c943adc87e0fbd7b3f947bab22ffdd309f747
darkhate-23030.portmap.io
RegAsm
Tau qhov twg los: www.hab.com
