Malware Analysis Report

2024-09-22 14:12

Sample ID 240513-wnmnesha38
Target 3c23060bff44df650a2def69bf0733a7_JaffaCakes118
SHA256 954d80f7e2ee27d8056e565e351b2c81d7d22c430b5443cf59924015b5f3664f
Tags
execution cerber defense_evasion discovery impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

954d80f7e2ee27d8056e565e351b2c81d7d22c430b5443cf59924015b5f3664f

Threat Level: Known bad

The file 3c23060bff44df650a2def69bf0733a7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

execution cerber defense_evasion discovery impact ransomware spyware stealer

Cerber

Deletes shadow copies

Contacts a large (517) amount of remote hosts

Blocklisted process makes network request

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Command and Scripting Interpreter: JavaScript

Program crash

Suspicious behavior: MapViewOfSection

Kills process with taskkill

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-13 18:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-13 18:04

Reported

2024-05-13 18:06

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 e4cd221c4e43b554715b0a8a57434a46
SHA1 4f07d920d8fe3bd614cc229f114b312f26013880
SHA256 16a3798c80a0dd793b583892535687b0ce2e10ff10675ae159fe6d42fa17aeea
SHA512 ef54ddaab0ac420fe868d089a1f8d08134802bcf192070ad1e87236836d5c5a04037daf6f862d7c9b116b3863347969cc0fa1ee76260eb4621760015900e6725

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-13 18:04

Reported

2024-05-13 18:06

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 852 wrote to memory of 436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 852 wrote to memory of 436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 852 wrote to memory of 436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 88.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-13 18:04

Reported

2024-05-13 18:06

Platform

win7-20240215-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 224

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-13 18:04

Reported

2024-05-13 18:06

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\youtube_activex.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\youtube_activex.js

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-13 18:04

Reported

2024-05-13 18:06

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\youtube_activex.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\youtube_activex.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 18:04

Reported

2024-05-13 18:06

Platform

win7-20240419-en

Max time kernel

122s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe"

Signatures

Cerber

ransomware cerber

Deletes shadow copies

ransomware defense_evasion impact execution

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Contacts a large (517) amount of remote hosts

discovery

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC275.bmp" C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_README_.hta C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe
PID 1760 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe
PID 1760 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe
PID 1760 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe
PID 1760 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe
PID 1760 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1760 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1760 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1760 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2740 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2740 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2740 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2664 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2664 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2888 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2888 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2888 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2888 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2888 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2888 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 428

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic.exe shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\_README_.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe"

C:\Windows\system32\PING.EXE

ping -n 1 127.0.0.1

Network

Country Destination Domain Proto
N/A 127.0.0.0:6892 udp
N/A 127.0.0.1:6892 udp
N/A 127.0.0.2:6892 udp
N/A 127.0.0.3:6892 udp
N/A 127.0.0.4:6892 udp
N/A 127.0.0.5:6892 udp
N/A 127.0.0.6:6892 udp
N/A 127.0.0.7:6892 udp
N/A 127.0.0.8:6892 udp
N/A 127.0.0.9:6892 udp
N/A 127.0.0.10:6892 udp
N/A 127.0.0.11:6892 udp
N/A 127.0.0.12:6892 udp
N/A 127.0.0.13:6892 udp
N/A 127.0.0.14:6892 udp
N/A 127.0.0.15:6892 udp
N/A 127.0.0.16:6892 udp
N/A 127.0.0.17:6892 udp
N/A 127.0.0.18:6892 udp
N/A 127.0.0.19:6892 udp
N/A 127.0.0.20:6892 udp
N/A 127.0.0.21:6892 udp
N/A 127.0.0.22:6892 udp
N/A 127.0.0.23:6892 udp
N/A 127.0.0.24:6892 udp
N/A 127.0.0.25:6892 udp
N/A 127.0.0.26:6892 udp
N/A 127.0.0.27:6892 udp
N/A 127.0.0.28:6892 udp
N/A 127.0.0.29:6892 udp
N/A 127.0.0.30:6892 udp
N/A 127.0.0.31:6892 udp
N/A 192.168.0.0:6892 udp
N/A 192.168.0.1:6892 udp
N/A 192.168.0.2:6892 udp
N/A 192.168.0.3:6892 udp
N/A 192.168.0.4:6892 udp
N/A 192.168.0.5:6892 udp
N/A 192.168.0.6:6892 udp
N/A 192.168.0.7:6892 udp
N/A 192.168.0.8:6892 udp
N/A 192.168.0.9:6892 udp
N/A 192.168.0.10:6892 udp
N/A 192.168.0.11:6892 udp
N/A 192.168.0.12:6892 udp
N/A 192.168.0.13:6892 udp
N/A 192.168.0.14:6892 udp
N/A 192.168.0.15:6892 udp
N/A 192.168.0.16:6892 udp
N/A 192.168.0.17:6892 udp
N/A 192.168.0.18:6892 udp
N/A 192.168.0.19:6892 udp
N/A 192.168.0.20:6892 udp
N/A 192.168.0.21:6892 udp
N/A 192.168.0.22:6892 udp
N/A 192.168.0.23:6892 udp
N/A 192.168.0.24:6892 udp
N/A 192.168.0.25:6892 udp
N/A 192.168.0.26:6892 udp
N/A 192.168.0.27:6892 udp
N/A 192.168.0.28:6892 udp
N/A 192.168.0.29:6892 udp
N/A 192.168.0.30:6892 udp
N/A 192.168.0.31:6892 udp
LT 194.165.16.0:6892 udp
LT 194.165.16.1:6892 udp
LT 194.165.16.2:6892 udp
LT 194.165.16.3:6892 udp
LT 194.165.16.4:6892 udp
LT 194.165.16.5:6892 udp
LT 194.165.16.6:6892 udp
LT 194.165.16.7:6892 udp
LT 194.165.16.8:6892 udp
LT 194.165.16.9:6892 udp
LT 194.165.16.10:6892 udp
LT 194.165.16.11:6892 udp
LT 194.165.16.12:6892 udp
LT 194.165.16.13:6892 udp
LT 194.165.16.14:6892 udp
LT 194.165.16.15:6892 udp
LT 194.165.16.16:6892 udp
LT 194.165.16.17:6892 udp
LT 194.165.16.18:6892 udp
LT 194.165.16.19:6892 udp
LT 194.165.16.20:6892 udp
LT 194.165.16.21:6892 udp
LT 194.165.16.22:6892 udp
LT 194.165.16.23:6892 udp
LT 194.165.16.24:6892 udp
LT 194.165.16.25:6892 udp
LT 194.165.16.26:6892 udp
LT 194.165.16.27:6892 udp
LT 194.165.16.28:6892 udp
LT 194.165.16.29:6892 udp
LT 194.165.16.30:6892 udp
LT 194.165.16.31:6892 udp
LT 194.165.16.32:6892 udp
LT 194.165.16.33:6892 udp
LT 194.165.16.34:6892 udp
LT 194.165.16.35:6892 udp
LT 194.165.16.36:6892 udp
LT 194.165.16.37:6892 udp
LT 194.165.16.38:6892 udp
LT 194.165.16.39:6892 udp
LT 194.165.16.40:6892 udp
LT 194.165.16.41:6892 udp
LT 194.165.16.42:6892 udp
LT 194.165.16.43:6892 udp
LT 194.165.16.44:6892 udp
LT 194.165.16.45:6892 udp
LT 194.165.16.46:6892 udp
LT 194.165.16.47:6892 udp
LT 194.165.16.48:6892 udp
LT 194.165.16.49:6892 udp
LT 194.165.16.50:6892 udp
LT 194.165.16.51:6892 udp
LT 194.165.16.52:6892 udp
LT 194.165.16.53:6892 udp
LT 194.165.16.54:6892 udp
LT 194.165.16.55:6892 udp
LT 194.165.16.56:6892 udp
LT 194.165.16.57:6892 udp
LT 194.165.16.58:6892 udp
LT 194.165.16.59:6892 udp
LT 194.165.16.60:6892 udp
LT 194.165.16.61:6892 udp
LT 194.165.16.62:6892 udp
LT 194.165.16.63:6892 udp
LT 194.165.16.64:6892 udp
LT 194.165.16.65:6892 udp
LT 194.165.16.66:6892 udp
LT 194.165.16.67:6892 udp
LT 194.165.16.68:6892 udp
LT 194.165.16.69:6892 udp
LT 194.165.16.70:6892 udp
LT 194.165.16.71:6892 udp
LT 194.165.16.72:6892 udp
LT 194.165.16.73:6892 udp
LT 194.165.16.74:6892 udp
LT 194.165.16.75:6892 udp
LT 194.165.16.76:6892 udp
LT 194.165.16.77:6892 udp
LT 194.165.16.78:6892 udp
LT 194.165.16.79:6892 udp
LT 194.165.16.80:6892 udp
LT 194.165.16.81:6892 udp
LT 194.165.16.82:6892 udp
LT 194.165.16.83:6892 udp
LT 194.165.16.84:6892 udp
LT 194.165.16.85:6892 udp
LT 194.165.16.86:6892 udp
LT 194.165.16.87:6892 udp
LT 194.165.16.88:6892 udp
LT 194.165.16.89:6892 udp
LT 194.165.16.90:6892 udp
LT 194.165.16.91:6892 udp
LT 194.165.16.92:6892 udp
LT 194.165.16.93:6892 udp
LT 194.165.16.94:6892 udp
LT 194.165.16.95:6892 udp
LT 194.165.16.96:6892 udp
LT 194.165.16.97:6892 udp
LT 194.165.16.98:6892 udp
LT 194.165.16.99:6892 udp
LT 194.165.16.100:6892 udp
LT 194.165.16.101:6892 udp
LT 194.165.16.102:6892 udp
LT 194.165.16.103:6892 udp
LT 194.165.16.104:6892 udp
LT 194.165.16.105:6892 udp
LT 194.165.16.106:6892 udp
LT 194.165.16.107:6892 udp
LT 194.165.16.108:6892 udp
LT 194.165.16.109:6892 udp
LT 194.165.16.110:6892 udp
LT 194.165.16.111:6892 udp
LT 194.165.16.112:6892 udp
LT 194.165.16.113:6892 udp
LT 194.165.16.114:6892 udp
LT 194.165.16.115:6892 udp
LT 194.165.16.116:6892 udp
LT 194.165.16.117:6892 udp
LT 194.165.16.118:6892 udp
LT 194.165.16.119:6892 udp
LT 194.165.16.120:6892 udp
LT 194.165.16.121:6892 udp
LT 194.165.16.122:6892 udp
LT 194.165.16.123:6892 udp
LT 194.165.16.124:6892 udp
LT 194.165.16.125:6892 udp
LT 194.165.16.126:6892 udp
LT 194.165.16.127:6892 udp
LT 194.165.16.128:6892 udp
LT 194.165.16.129:6892 udp
LT 194.165.16.130:6892 udp
LT 194.165.16.131:6892 udp
LT 194.165.16.132:6892 udp
LT 194.165.16.133:6892 udp
LT 194.165.16.134:6892 udp
LT 194.165.16.135:6892 udp
LT 194.165.16.136:6892 udp
LT 194.165.16.137:6892 udp
LT 194.165.16.138:6892 udp
LT 194.165.16.139:6892 udp
LT 194.165.16.140:6892 udp
LT 194.165.16.141:6892 udp
LT 194.165.16.142:6892 udp
LT 194.165.16.143:6892 udp
LT 194.165.16.144:6892 udp
LT 194.165.16.145:6892 udp
LT 194.165.16.146:6892 udp
LT 194.165.16.147:6892 udp
LT 194.165.16.148:6892 udp
LT 194.165.16.149:6892 udp
LT 194.165.16.150:6892 udp
LT 194.165.16.151:6892 udp
LT 194.165.16.152:6892 udp
LT 194.165.16.153:6892 udp
LT 194.165.16.154:6892 udp
LT 194.165.16.155:6892 udp
LT 194.165.16.156:6892 udp
LT 194.165.16.157:6892 udp
LT 194.165.16.158:6892 udp
LT 194.165.16.159:6892 udp
LT 194.165.16.160:6892 udp
LT 194.165.16.161:6892 udp
LT 194.165.16.162:6892 udp
LT 194.165.16.163:6892 udp
LT 194.165.16.164:6892 udp
LT 194.165.16.165:6892 udp
LT 194.165.16.166:6892 udp
LT 194.165.16.167:6892 udp
LT 194.165.16.168:6892 udp
LT 194.165.16.169:6892 udp
LT 194.165.16.170:6892 udp
LT 194.165.16.171:6892 udp
LT 194.165.16.172:6892 udp
LT 194.165.16.173:6892 udp
LT 194.165.16.174:6892 udp
LT 194.165.16.175:6892 udp
LT 194.165.16.176:6892 udp
LT 194.165.16.177:6892 udp
LT 194.165.16.178:6892 udp
LT 194.165.16.179:6892 udp
LT 194.165.16.180:6892 udp
LT 194.165.16.181:6892 udp
LT 194.165.16.182:6892 udp
LT 194.165.16.183:6892 udp
LT 194.165.16.184:6892 udp
LT 194.165.16.185:6892 udp
LT 194.165.16.186:6892 udp
LT 194.165.16.187:6892 udp
LT 194.165.16.188:6892 udp
LT 194.165.16.189:6892 udp
LT 194.165.16.190:6892 udp
LT 194.165.16.191:6892 udp
LT 194.165.16.192:6892 udp
LT 194.165.16.193:6892 udp
LT 194.165.16.194:6892 udp
LT 194.165.16.195:6892 udp
LT 194.165.16.196:6892 udp
LT 194.165.16.197:6892 udp
LT 194.165.16.198:6892 udp
LT 194.165.16.199:6892 udp
LT 194.165.16.200:6892 udp
LT 194.165.16.201:6892 udp
LT 194.165.16.202:6892 udp
LT 194.165.16.203:6892 udp
LT 194.165.16.204:6892 udp
LT 194.165.16.205:6892 udp
LT 194.165.16.206:6892 udp
LT 194.165.16.207:6892 udp
LT 194.165.16.208:6892 udp
LT 194.165.16.209:6892 udp
LT 194.165.16.210:6892 udp
LT 194.165.16.211:6892 udp
LT 194.165.16.212:6892 udp
LT 194.165.16.213:6892 udp
LT 194.165.16.214:6892 udp
LT 194.165.16.215:6892 udp
LT 194.165.16.216:6892 udp
LT 194.165.16.217:6892 udp
LT 194.165.16.218:6892 udp
LT 194.165.16.219:6892 udp
LT 194.165.16.220:6892 udp
LT 194.165.16.221:6892 udp
LT 194.165.16.222:6892 udp
LT 194.165.16.223:6892 udp
LT 194.165.16.224:6892 udp
LT 194.165.16.225:6892 udp
LT 194.165.16.226:6892 udp
LT 194.165.16.227:6892 udp
LT 194.165.16.228:6892 udp
LT 194.165.16.229:6892 udp
LT 194.165.16.230:6892 udp
LT 194.165.16.231:6892 udp
LT 194.165.16.232:6892 udp
LT 194.165.16.233:6892 udp
LT 194.165.16.234:6892 udp
LT 194.165.16.235:6892 udp
LT 194.165.16.236:6892 udp
LT 194.165.16.237:6892 udp
LT 194.165.16.238:6892 udp
LT 194.165.16.239:6892 udp
LT 194.165.16.240:6892 udp
LT 194.165.16.241:6892 udp
LT 194.165.16.242:6892 udp
LT 194.165.16.243:6892 udp
LT 194.165.16.244:6892 udp
LT 194.165.16.245:6892 udp
LT 194.165.16.246:6892 udp
LT 194.165.16.247:6892 udp
LT 194.165.16.248:6892 udp
LT 194.165.16.249:6892 udp
LT 194.165.16.250:6892 udp
LT 194.165.16.251:6892 udp
LT 194.165.16.252:6892 udp
LT 194.165.16.253:6892 udp
LT 194.165.16.254:6892 udp
LT 194.165.16.255:6892 udp
LT 194.165.17.0:6892 udp
LT 194.165.17.1:6892 udp
LT 194.165.17.2:6892 udp
LT 194.165.17.3:6892 udp
LT 194.165.17.4:6892 udp
LT 194.165.17.5:6892 udp
LT 194.165.17.6:6892 udp
LT 194.165.17.7:6892 udp
LT 194.165.17.8:6892 udp
LT 194.165.17.9:6892 udp
LT 194.165.17.10:6892 udp
LT 194.165.17.11:6892 udp
LT 194.165.17.12:6892 udp
LT 194.165.17.13:6892 udp
LT 194.165.17.14:6892 udp
LT 194.165.17.15:6892 udp
LT 194.165.17.16:6892 udp
LT 194.165.17.17:6892 udp
LT 194.165.17.18:6892 udp
LT 194.165.17.19:6892 udp
LT 194.165.17.20:6892 udp
LT 194.165.17.21:6892 udp
LT 194.165.17.22:6892 udp
LT 194.165.17.23:6892 udp
LT 194.165.17.24:6892 udp
LT 194.165.17.25:6892 udp
LT 194.165.17.26:6892 udp
LT 194.165.17.27:6892 udp
LT 194.165.17.28:6892 udp
LT 194.165.17.29:6892 udp
LT 194.165.17.30:6892 udp
LT 194.165.17.31:6892 udp
LT 194.165.17.32:6892 udp
LT 194.165.17.33:6892 udp
LT 194.165.17.34:6892 udp
LT 194.165.17.35:6892 udp
LT 194.165.17.36:6892 udp
LT 194.165.17.37:6892 udp
LT 194.165.17.38:6892 udp
LT 194.165.17.39:6892 udp
LT 194.165.17.40:6892 udp
LT 194.165.17.41:6892 udp
LT 194.165.17.42:6892 udp
LT 194.165.17.43:6892 udp
LT 194.165.17.44:6892 udp
LT 194.165.17.45:6892 udp
LT 194.165.17.46:6892 udp
LT 194.165.17.47:6892 udp
LT 194.165.17.48:6892 udp
LT 194.165.17.49:6892 udp
LT 194.165.17.50:6892 udp
LT 194.165.17.51:6892 udp
LT 194.165.17.52:6892 udp
LT 194.165.17.53:6892 udp
LT 194.165.17.54:6892 udp
LT 194.165.17.55:6892 udp
LT 194.165.17.56:6892 udp
LT 194.165.17.57:6892 udp
LT 194.165.17.58:6892 udp
LT 194.165.17.59:6892 udp
LT 194.165.17.60:6892 udp
LT 194.165.17.61:6892 udp
LT 194.165.17.62:6892 udp
LT 194.165.17.63:6892 udp
LT 194.165.17.64:6892 udp
LT 194.165.17.65:6892 udp
LT 194.165.17.66:6892 udp
LT 194.165.17.67:6892 udp
LT 194.165.17.68:6892 udp
LT 194.165.17.69:6892 udp
LT 194.165.17.70:6892 udp
LT 194.165.17.71:6892 udp
LT 194.165.17.72:6892 udp
LT 194.165.17.73:6892 udp
LT 194.165.17.74:6892 udp
LT 194.165.17.75:6892 udp
LT 194.165.17.76:6892 udp
LT 194.165.17.77:6892 udp
LT 194.165.17.78:6892 udp
LT 194.165.17.79:6892 udp
LT 194.165.17.80:6892 udp
LT 194.165.17.81:6892 udp
LT 194.165.17.82:6892 udp
LT 194.165.17.83:6892 udp
LT 194.165.17.84:6892 udp
LT 194.165.17.85:6892 udp
LT 194.165.17.86:6892 udp
LT 194.165.17.87:6892 udp
LT 194.165.17.88:6892 udp
LT 194.165.17.89:6892 udp
LT 194.165.17.90:6892 udp
LT 194.165.17.91:6892 udp
LT 194.165.17.92:6892 udp
LT 194.165.17.93:6892 udp
LT 194.165.17.94:6892 udp
LT 194.165.17.95:6892 udp
LT 194.165.17.96:6892 udp
LT 194.165.17.97:6892 udp
LT 194.165.17.98:6892 udp
LT 194.165.17.99:6892 udp
LT 194.165.17.100:6892 udp
LT 194.165.17.101:6892 udp
LT 194.165.17.102:6892 udp
LT 194.165.17.103:6892 udp
LT 194.165.17.104:6892 udp
LT 194.165.17.105:6892 udp
LT 194.165.17.106:6892 udp
LT 194.165.17.107:6892 udp
LT 194.165.17.108:6892 udp
LT 194.165.17.109:6892 udp
LT 194.165.17.110:6892 udp
LT 194.165.17.111:6892 udp
LT 194.165.17.112:6892 udp
LT 194.165.17.113:6892 udp
LT 194.165.17.114:6892 udp
LT 194.165.17.115:6892 udp
LT 194.165.17.116:6892 udp
LT 194.165.17.117:6892 udp
LT 194.165.17.118:6892 udp
LT 194.165.17.119:6892 udp
LT 194.165.17.120:6892 udp
LT 194.165.17.121:6892 udp
LT 194.165.17.122:6892 udp
LT 194.165.17.123:6892 udp
LT 194.165.17.124:6892 udp
LT 194.165.17.125:6892 udp
LT 194.165.17.126:6892 udp
LT 194.165.17.127:6892 udp
LT 194.165.17.128:6892 udp
LT 194.165.17.129:6892 udp
LT 194.165.17.130:6892 udp
LT 194.165.17.131:6892 udp
LT 194.165.17.132:6892 udp
LT 194.165.17.133:6892 udp
LT 194.165.17.134:6892 udp
LT 194.165.17.135:6892 udp
LT 194.165.17.136:6892 udp
LT 194.165.17.137:6892 udp
LT 194.165.17.138:6892 udp
LT 194.165.17.139:6892 udp
LT 194.165.17.140:6892 udp
LT 194.165.17.141:6892 udp
LT 194.165.17.142:6892 udp
LT 194.165.17.143:6892 udp
LT 194.165.17.144:6892 udp
LT 194.165.17.145:6892 udp
LT 194.165.17.146:6892 udp
LT 194.165.17.147:6892 udp
LT 194.165.17.148:6892 udp
LT 194.165.17.149:6892 udp
LT 194.165.17.150:6892 udp
LT 194.165.17.151:6892 udp
LT 194.165.17.152:6892 udp
LT 194.165.17.153:6892 udp
LT 194.165.17.154:6892 udp
LT 194.165.17.155:6892 udp
LT 194.165.17.156:6892 udp
LT 194.165.17.157:6892 udp
LT 194.165.17.158:6892 udp
LT 194.165.17.159:6892 udp
LT 194.165.17.160:6892 udp
LT 194.165.17.161:6892 udp
LT 194.165.17.162:6892 udp
LT 194.165.17.163:6892 udp
LT 194.165.17.164:6892 udp
LT 194.165.17.165:6892 udp
LT 194.165.17.166:6892 udp
LT 194.165.17.167:6892 udp
LT 194.165.17.168:6892 udp
LT 194.165.17.169:6892 udp
LT 194.165.17.170:6892 udp
LT 194.165.17.171:6892 udp
LT 194.165.17.172:6892 udp
LT 194.165.17.173:6892 udp
LT 194.165.17.174:6892 udp
LT 194.165.17.175:6892 udp
LT 194.165.17.176:6892 udp
LT 194.165.17.177:6892 udp
LT 194.165.17.178:6892 udp
LT 194.165.17.179:6892 udp
LT 194.165.17.180:6892 udp
LT 194.165.17.181:6892 udp
LT 194.165.17.182:6892 udp
LT 194.165.17.183:6892 udp
LT 194.165.17.184:6892 udp
LT 194.165.17.185:6892 udp
LT 194.165.17.186:6892 udp
LT 194.165.17.187:6892 udp
LT 194.165.17.188:6892 udp
LT 194.165.17.189:6892 udp
LT 194.165.17.190:6892 udp
LT 194.165.17.191:6892 udp
LT 194.165.17.192:6892 udp
LT 194.165.17.193:6892 udp
LT 194.165.17.194:6892 udp
LT 194.165.17.195:6892 udp
LT 194.165.17.196:6892 udp
LT 194.165.17.197:6892 udp
LT 194.165.17.198:6892 udp
LT 194.165.17.199:6892 udp
LT 194.165.17.200:6892 udp
LT 194.165.17.201:6892 udp
LT 194.165.17.202:6892 udp
LT 194.165.17.203:6892 udp
LT 194.165.17.204:6892 udp
LT 194.165.17.205:6892 udp
LT 194.165.17.206:6892 udp
LT 194.165.17.207:6892 udp
LT 194.165.17.208:6892 udp
LT 194.165.17.209:6892 udp
LT 194.165.17.210:6892 udp
LT 194.165.17.211:6892 udp
LT 194.165.17.212:6892 udp
LT 194.165.17.213:6892 udp
LT 194.165.17.214:6892 udp
LT 194.165.17.215:6892 udp
LT 194.165.17.216:6892 udp
LT 194.165.17.217:6892 udp
LT 194.165.17.218:6892 udp
LT 194.165.17.219:6892 udp
LT 194.165.17.220:6892 udp
LT 194.165.17.221:6892 udp
LT 194.165.17.222:6892 udp
LT 194.165.17.223:6892 udp
LT 194.165.17.224:6892 udp
LT 194.165.17.225:6892 udp
LT 194.165.17.226:6892 udp
LT 194.165.17.227:6892 udp
LT 194.165.17.228:6892 udp
LT 194.165.17.229:6892 udp
LT 194.165.17.230:6892 udp
LT 194.165.17.231:6892 udp
LT 194.165.17.232:6892 udp
LT 194.165.17.233:6892 udp
LT 194.165.17.234:6892 udp
LT 194.165.17.235:6892 udp
LT 194.165.17.236:6892 udp
LT 194.165.17.237:6892 udp
LT 194.165.17.238:6892 udp
LT 194.165.17.239:6892 udp
LT 194.165.17.240:6892 udp
LT 194.165.17.241:6892 udp
LT 194.165.17.242:6892 udp
LT 194.165.17.243:6892 udp
LT 194.165.17.244:6892 udp
LT 194.165.17.245:6892 udp
LT 194.165.17.246:6892 udp
LT 194.165.17.247:6892 udp
LT 194.165.17.248:6892 udp
LT 194.165.17.249:6892 udp
LT 194.165.17.250:6892 udp
LT 194.165.17.251:6892 udp
LT 194.165.17.252:6892 udp
LT 194.165.17.253:6892 udp
LT 194.165.17.254:6892 udp
LT 194.165.17.255:6892 udp
N/A 192.168.0.0:6892 udp
N/A 192.168.0.1:6892 udp
N/A 192.168.0.2:6892 udp
N/A 192.168.0.3:6892 udp
N/A 192.168.0.4:6892 udp
N/A 192.168.0.5:6892 udp
N/A 192.168.0.6:6892 udp
N/A 192.168.0.7:6892 udp
N/A 192.168.0.8:6892 udp
N/A 192.168.0.9:6892 udp
N/A 192.168.0.10:6892 udp
N/A 192.168.0.11:6892 udp
N/A 192.168.0.12:6892 udp
N/A 192.168.0.13:6892 udp
N/A 192.168.0.14:6892 udp
N/A 192.168.0.15:6892 udp
N/A 192.168.0.16:6892 udp
N/A 192.168.0.17:6892 udp
N/A 192.168.0.18:6892 udp
N/A 192.168.0.19:6892 udp
N/A 192.168.0.20:6892 udp
N/A 192.168.0.21:6892 udp
N/A 192.168.0.22:6892 udp
N/A 192.168.0.23:6892 udp
N/A 192.168.0.24:6892 udp
N/A 192.168.0.25:6892 udp
N/A 192.168.0.26:6892 udp
N/A 192.168.0.27:6892 udp
N/A 192.168.0.28:6892 udp
N/A 192.168.0.29:6892 udp
N/A 192.168.0.30:6892 udp
N/A 192.168.0.31:6892 udp
LT 194.165.16.0:6892 udp
LT 194.165.16.1:6892 udp
LT 194.165.16.2:6892 udp
LT 194.165.16.3:6892 udp
LT 194.165.16.4:6892 udp
LT 194.165.16.5:6892 udp
LT 194.165.16.6:6892 udp
LT 194.165.16.7:6892 udp
LT 194.165.16.8:6892 udp
LT 194.165.16.9:6892 udp
LT 194.165.16.10:6892 udp
LT 194.165.16.11:6892 udp
LT 194.165.16.12:6892 udp
LT 194.165.16.13:6892 udp
LT 194.165.16.14:6892 udp
LT 194.165.16.15:6892 udp
LT 194.165.16.16:6892 udp
LT 194.165.16.17:6892 udp
LT 194.165.16.18:6892 udp
LT 194.165.16.19:6892 udp
LT 194.165.16.20:6892 udp
LT 194.165.16.21:6892 udp
LT 194.165.16.22:6892 udp
LT 194.165.16.23:6892 udp
LT 194.165.16.24:6892 udp
LT 194.165.16.25:6892 udp
LT 194.165.16.26:6892 udp
LT 194.165.16.27:6892 udp
LT 194.165.16.28:6892 udp
LT 194.165.16.29:6892 udp
LT 194.165.16.30:6892 udp
LT 194.165.16.31:6892 udp
LT 194.165.16.32:6892 udp
LT 194.165.16.33:6892 udp
LT 194.165.16.34:6892 udp
LT 194.165.16.35:6892 udp
LT 194.165.16.36:6892 udp
LT 194.165.16.37:6892 udp
LT 194.165.16.38:6892 udp
LT 194.165.16.39:6892 udp
LT 194.165.16.40:6892 udp
LT 194.165.16.41:6892 udp
LT 194.165.16.42:6892 udp
LT 194.165.16.43:6892 udp
LT 194.165.16.44:6892 udp
LT 194.165.16.45:6892 udp
LT 194.165.16.46:6892 udp
LT 194.165.16.47:6892 udp
LT 194.165.16.48:6892 udp
LT 194.165.16.49:6892 udp
LT 194.165.16.50:6892 udp
LT 194.165.16.51:6892 udp
LT 194.165.16.52:6892 udp
LT 194.165.16.53:6892 udp
LT 194.165.16.54:6892 udp
LT 194.165.16.55:6892 udp
LT 194.165.16.56:6892 udp
LT 194.165.16.57:6892 udp
LT 194.165.16.58:6892 udp
LT 194.165.16.59:6892 udp
LT 194.165.16.60:6892 udp
LT 194.165.16.61:6892 udp
LT 194.165.16.62:6892 udp
LT 194.165.16.63:6892 udp
LT 194.165.16.64:6892 udp
LT 194.165.16.65:6892 udp
LT 194.165.16.66:6892 udp
LT 194.165.16.67:6892 udp
LT 194.165.16.68:6892 udp
LT 194.165.16.69:6892 udp
LT 194.165.16.70:6892 udp
LT 194.165.16.71:6892 udp
LT 194.165.16.72:6892 udp
LT 194.165.16.73:6892 udp
LT 194.165.16.74:6892 udp
LT 194.165.16.75:6892 udp
LT 194.165.16.76:6892 udp
LT 194.165.16.77:6892 udp
LT 194.165.16.78:6892 udp
LT 194.165.16.79:6892 udp
LT 194.165.16.80:6892 udp
LT 194.165.16.81:6892 udp
LT 194.165.16.82:6892 udp
LT 194.165.16.83:6892 udp
LT 194.165.16.84:6892 udp
LT 194.165.16.85:6892 udp
LT 194.165.16.86:6892 udp
LT 194.165.16.87:6892 udp
LT 194.165.16.88:6892 udp
LT 194.165.16.89:6892 udp
LT 194.165.16.90:6892 udp
LT 194.165.16.91:6892 udp
LT 194.165.16.92:6892 udp
LT 194.165.16.93:6892 udp
LT 194.165.16.94:6892 udp
LT 194.165.16.95:6892 udp
LT 194.165.16.96:6892 udp
LT 194.165.16.97:6892 udp
LT 194.165.16.98:6892 udp
LT 194.165.16.99:6892 udp
LT 194.165.16.100:6892 udp
LT 194.165.16.101:6892 udp
LT 194.165.16.102:6892 udp
LT 194.165.16.103:6892 udp
LT 194.165.16.104:6892 udp
LT 194.165.16.105:6892 udp
LT 194.165.16.106:6892 udp
LT 194.165.16.107:6892 udp
LT 194.165.16.108:6892 udp
LT 194.165.16.109:6892 udp
LT 194.165.16.110:6892 udp
LT 194.165.16.111:6892 udp
LT 194.165.16.112:6892 udp
LT 194.165.16.113:6892 udp
LT 194.165.16.114:6892 udp
LT 194.165.16.115:6892 udp
LT 194.165.16.116:6892 udp
LT 194.165.16.117:6892 udp
LT 194.165.16.118:6892 udp
LT 194.165.16.119:6892 udp
LT 194.165.16.120:6892 udp
LT 194.165.16.121:6892 udp
LT 194.165.16.122:6892 udp
LT 194.165.16.123:6892 udp
LT 194.165.16.124:6892 udp
LT 194.165.16.125:6892 udp
LT 194.165.16.126:6892 udp
LT 194.165.16.127:6892 udp
LT 194.165.16.128:6892 udp
LT 194.165.16.129:6892 udp
LT 194.165.16.130:6892 udp
LT 194.165.16.131:6892 udp
LT 194.165.16.132:6892 udp
LT 194.165.16.133:6892 udp
LT 194.165.16.134:6892 udp
LT 194.165.16.135:6892 udp
LT 194.165.16.136:6892 udp
LT 194.165.16.137:6892 udp
LT 194.165.16.138:6892 udp
LT 194.165.16.139:6892 udp
LT 194.165.16.140:6892 udp
LT 194.165.16.141:6892 udp
LT 194.165.16.142:6892 udp
LT 194.165.16.143:6892 udp
LT 194.165.16.144:6892 udp
LT 194.165.16.145:6892 udp
LT 194.165.16.146:6892 udp
LT 194.165.16.147:6892 udp
LT 194.165.16.148:6892 udp
LT 194.165.16.149:6892 udp
LT 194.165.16.150:6892 udp
LT 194.165.16.151:6892 udp
LT 194.165.16.152:6892 udp
LT 194.165.16.153:6892 udp
LT 194.165.16.154:6892 udp
LT 194.165.16.155:6892 udp
LT 194.165.16.156:6892 udp
LT 194.165.16.157:6892 udp
LT 194.165.16.158:6892 udp
LT 194.165.16.159:6892 udp
LT 194.165.16.160:6892 udp
LT 194.165.16.161:6892 udp
LT 194.165.16.162:6892 udp
LT 194.165.16.163:6892 udp
LT 194.165.16.164:6892 udp
LT 194.165.16.165:6892 udp
LT 194.165.16.166:6892 udp
LT 194.165.16.167:6892 udp
LT 194.165.16.168:6892 udp
LT 194.165.16.169:6892 udp
LT 194.165.16.170:6892 udp
LT 194.165.16.171:6892 udp
LT 194.165.16.172:6892 udp
LT 194.165.16.173:6892 udp
LT 194.165.16.174:6892 udp
LT 194.165.16.175:6892 udp
LT 194.165.16.176:6892 udp
LT 194.165.16.177:6892 udp
LT 194.165.16.178:6892 udp
LT 194.165.16.179:6892 udp
LT 194.165.16.180:6892 udp
LT 194.165.16.181:6892 udp
LT 194.165.16.182:6892 udp
LT 194.165.16.183:6892 udp
LT 194.165.16.184:6892 udp
LT 194.165.16.185:6892 udp
LT 194.165.16.186:6892 udp
LT 194.165.16.187:6892 udp
LT 194.165.16.188:6892 udp
LT 194.165.16.189:6892 udp
LT 194.165.16.190:6892 udp
LT 194.165.16.191:6892 udp
LT 194.165.16.192:6892 udp
LT 194.165.16.193:6892 udp
LT 194.165.16.194:6892 udp
LT 194.165.16.195:6892 udp
LT 194.165.16.196:6892 udp
LT 194.165.16.197:6892 udp
LT 194.165.16.198:6892 udp
LT 194.165.16.199:6892 udp
LT 194.165.16.200:6892 udp
LT 194.165.16.201:6892 udp
LT 194.165.16.202:6892 udp
LT 194.165.16.203:6892 udp
LT 194.165.16.204:6892 udp
LT 194.165.16.205:6892 udp
LT 194.165.16.206:6892 udp
LT 194.165.16.207:6892 udp
LT 194.165.16.208:6892 udp
LT 194.165.16.209:6892 udp
LT 194.165.16.210:6892 udp
LT 194.165.16.211:6892 udp
LT 194.165.16.212:6892 udp
LT 194.165.16.213:6892 udp
LT 194.165.16.214:6892 udp
LT 194.165.16.215:6892 udp
LT 194.165.16.216:6892 udp
LT 194.165.16.217:6892 udp
LT 194.165.16.218:6892 udp
LT 194.165.16.219:6892 udp
LT 194.165.16.220:6892 udp
LT 194.165.16.221:6892 udp
LT 194.165.16.222:6892 udp
LT 194.165.16.223:6892 udp
LT 194.165.16.224:6892 udp
LT 194.165.16.225:6892 udp
LT 194.165.16.226:6892 udp
LT 194.165.16.227:6892 udp
LT 194.165.16.228:6892 udp
LT 194.165.16.229:6892 udp
LT 194.165.16.230:6892 udp
LT 194.165.16.231:6892 udp
LT 194.165.16.232:6892 udp
LT 194.165.16.233:6892 udp
LT 194.165.16.234:6892 udp
LT 194.165.16.235:6892 udp
LT 194.165.16.236:6892 udp
LT 194.165.16.237:6892 udp
LT 194.165.16.238:6892 udp
LT 194.165.16.239:6892 udp
LT 194.165.16.240:6892 udp
LT 194.165.16.241:6892 udp
LT 194.165.16.242:6892 udp
LT 194.165.16.243:6892 udp
LT 194.165.16.244:6892 udp
LT 194.165.16.245:6892 udp
LT 194.165.16.246:6892 udp
LT 194.165.16.247:6892 udp
LT 194.165.16.248:6892 udp
LT 194.165.16.249:6892 udp
LT 194.165.16.250:6892 udp
LT 194.165.16.251:6892 udp
LT 194.165.16.252:6892 udp
LT 194.165.16.253:6892 udp
LT 194.165.16.254:6892 udp
N/A 127.0.0.0:6892 udp
N/A 127.0.0.1:6892 udp
N/A 127.0.0.2:6892 udp
N/A 127.0.0.3:6892 udp
N/A 127.0.0.4:6892 udp
N/A 127.0.0.5:6892 udp
N/A 127.0.0.6:6892 udp
N/A 127.0.0.7:6892 udp
N/A 127.0.0.8:6892 udp
N/A 127.0.0.9:6892 udp
N/A 127.0.0.10:6892 udp
N/A 127.0.0.11:6892 udp
N/A 127.0.0.12:6892 udp
N/A 127.0.0.13:6892 udp
N/A 127.0.0.14:6892 udp
N/A 127.0.0.15:6892 udp
N/A 127.0.0.16:6892 udp
N/A 127.0.0.17:6892 udp
N/A 127.0.0.18:6892 udp
N/A 127.0.0.19:6892 udp
N/A 127.0.0.20:6892 udp
N/A 127.0.0.21:6892 udp
N/A 127.0.0.22:6892 udp
N/A 127.0.0.23:6892 udp
N/A 127.0.0.24:6892 udp
N/A 127.0.0.25:6892 udp
N/A 127.0.0.26:6892 udp
N/A 127.0.0.27:6892 udp
N/A 127.0.0.28:6892 udp
N/A 127.0.0.29:6892 udp
N/A 127.0.0.30:6892 udp
N/A 127.0.0.31:6892 udp
LT 194.165.16.255:6892 udp
LT 194.165.17.0:6892 udp
LT 194.165.17.1:6892 udp
LT 194.165.17.2:6892 udp
LT 194.165.17.3:6892 udp
LT 194.165.17.4:6892 udp
LT 194.165.17.5:6892 udp
LT 194.165.17.6:6892 udp
LT 194.165.17.7:6892 udp
LT 194.165.17.8:6892 udp
LT 194.165.17.9:6892 udp
LT 194.165.17.10:6892 udp
LT 194.165.17.11:6892 udp
LT 194.165.17.12:6892 udp
LT 194.165.17.13:6892 udp
LT 194.165.17.14:6892 udp
LT 194.165.17.15:6892 udp
LT 194.165.17.16:6892 udp
LT 194.165.17.17:6892 udp
LT 194.165.17.18:6892 udp
LT 194.165.17.19:6892 udp
LT 194.165.17.20:6892 udp
LT 194.165.17.21:6892 udp
LT 194.165.17.22:6892 udp
LT 194.165.17.23:6892 udp
LT 194.165.17.24:6892 udp
LT 194.165.17.25:6892 udp
LT 194.165.17.26:6892 udp
LT 194.165.17.27:6892 udp
LT 194.165.17.28:6892 udp
LT 194.165.17.29:6892 udp
LT 194.165.17.30:6892 udp
LT 194.165.17.31:6892 udp
LT 194.165.17.32:6892 udp
LT 194.165.17.33:6892 udp
LT 194.165.17.34:6892 udp
LT 194.165.17.35:6892 udp
LT 194.165.17.36:6892 udp
LT 194.165.17.37:6892 udp
LT 194.165.17.38:6892 udp
LT 194.165.17.39:6892 udp
LT 194.165.17.40:6892 udp
LT 194.165.17.41:6892 udp
LT 194.165.17.42:6892 udp
LT 194.165.17.43:6892 udp
LT 194.165.17.44:6892 udp
LT 194.165.17.45:6892 udp
LT 194.165.17.46:6892 udp
LT 194.165.17.47:6892 udp
LT 194.165.17.48:6892 udp
LT 194.165.17.49:6892 udp
LT 194.165.17.50:6892 udp
LT 194.165.17.51:6892 udp
LT 194.165.17.52:6892 udp
LT 194.165.17.53:6892 udp
LT 194.165.17.54:6892 udp
LT 194.165.17.55:6892 udp
LT 194.165.17.56:6892 udp
LT 194.165.17.57:6892 udp
LT 194.165.17.58:6892 udp
LT 194.165.17.59:6892 udp
LT 194.165.17.60:6892 udp
LT 194.165.17.61:6892 udp
LT 194.165.17.62:6892 udp
LT 194.165.17.63:6892 udp
LT 194.165.17.64:6892 udp
LT 194.165.17.65:6892 udp
LT 194.165.17.66:6892 udp
LT 194.165.17.67:6892 udp
LT 194.165.17.68:6892 udp
LT 194.165.17.69:6892 udp
LT 194.165.17.70:6892 udp
LT 194.165.17.71:6892 udp
LT 194.165.17.72:6892 udp
LT 194.165.17.73:6892 udp
LT 194.165.17.74:6892 udp
LT 194.165.17.75:6892 udp
LT 194.165.17.76:6892 udp
LT 194.165.17.77:6892 udp
LT 194.165.17.78:6892 udp
LT 194.165.17.79:6892 udp
LT 194.165.17.80:6892 udp
LT 194.165.17.81:6892 udp
LT 194.165.17.82:6892 udp
LT 194.165.17.83:6892 udp
LT 194.165.17.84:6892 udp
LT 194.165.17.85:6892 udp
LT 194.165.17.86:6892 udp
LT 194.165.17.87:6892 udp
LT 194.165.17.88:6892 udp
LT 194.165.17.89:6892 udp
LT 194.165.17.90:6892 udp
LT 194.165.17.91:6892 udp
LT 194.165.17.92:6892 udp
LT 194.165.17.93:6892 udp
LT 194.165.17.94:6892 udp
LT 194.165.17.95:6892 udp
LT 194.165.17.96:6892 udp
LT 194.165.17.97:6892 udp
LT 194.165.17.98:6892 udp
LT 194.165.17.99:6892 udp
LT 194.165.17.100:6892 udp
LT 194.165.17.101:6892 udp
LT 194.165.17.102:6892 udp
LT 194.165.17.103:6892 udp
LT 194.165.17.104:6892 udp
LT 194.165.17.105:6892 udp
LT 194.165.17.106:6892 udp
LT 194.165.17.107:6892 udp
LT 194.165.17.108:6892 udp
LT 194.165.17.109:6892 udp
LT 194.165.17.110:6892 udp
LT 194.165.17.111:6892 udp
LT 194.165.17.112:6892 udp
LT 194.165.17.113:6892 udp
LT 194.165.17.114:6892 udp
LT 194.165.17.115:6892 udp
LT 194.165.17.116:6892 udp
LT 194.165.17.117:6892 udp
LT 194.165.17.118:6892 udp
LT 194.165.17.119:6892 udp
LT 194.165.17.120:6892 udp
LT 194.165.17.121:6892 udp
LT 194.165.17.122:6892 udp
LT 194.165.17.123:6892 udp
LT 194.165.17.124:6892 udp
LT 194.165.17.125:6892 udp
LT 194.165.17.126:6892 udp
LT 194.165.17.127:6892 udp
LT 194.165.17.128:6892 udp
LT 194.165.17.129:6892 udp
LT 194.165.17.130:6892 udp
LT 194.165.17.131:6892 udp
LT 194.165.17.132:6892 udp
LT 194.165.17.133:6892 udp
LT 194.165.17.134:6892 udp
LT 194.165.17.135:6892 udp
LT 194.165.17.136:6892 udp
LT 194.165.17.137:6892 udp
LT 194.165.17.138:6892 udp
LT 194.165.17.139:6892 udp
LT 194.165.17.140:6892 udp
LT 194.165.17.141:6892 udp
LT 194.165.17.142:6892 udp
LT 194.165.17.143:6892 udp
LT 194.165.17.144:6892 udp
LT 194.165.17.145:6892 udp
LT 194.165.17.146:6892 udp
LT 194.165.17.147:6892 udp
LT 194.165.17.148:6892 udp
LT 194.165.17.149:6892 udp
LT 194.165.17.150:6892 udp
LT 194.165.17.151:6892 udp
LT 194.165.17.152:6892 udp
LT 194.165.17.153:6892 udp
LT 194.165.17.154:6892 udp
LT 194.165.17.155:6892 udp
LT 194.165.17.156:6892 udp
LT 194.165.17.157:6892 udp
LT 194.165.17.158:6892 udp
LT 194.165.17.159:6892 udp
LT 194.165.17.160:6892 udp
LT 194.165.17.161:6892 udp
LT 194.165.17.162:6892 udp
LT 194.165.17.163:6892 udp
LT 194.165.17.164:6892 udp
LT 194.165.17.165:6892 udp
LT 194.165.17.166:6892 udp
LT 194.165.17.167:6892 udp
LT 194.165.17.168:6892 udp
LT 194.165.17.169:6892 udp
LT 194.165.17.170:6892 udp
LT 194.165.17.171:6892 udp
LT 194.165.17.172:6892 udp
LT 194.165.17.173:6892 udp
LT 194.165.17.174:6892 udp
LT 194.165.17.175:6892 udp
LT 194.165.17.176:6892 udp
LT 194.165.17.177:6892 udp
LT 194.165.17.178:6892 udp
LT 194.165.17.179:6892 udp
LT 194.165.17.180:6892 udp
LT 194.165.17.181:6892 udp
LT 194.165.17.182:6892 udp
LT 194.165.17.183:6892 udp
LT 194.165.17.184:6892 udp
LT 194.165.17.185:6892 udp
LT 194.165.17.186:6892 udp
LT 194.165.17.187:6892 udp
LT 194.165.17.188:6892 udp
LT 194.165.17.189:6892 udp
LT 194.165.17.190:6892 udp
LT 194.165.17.191:6892 udp
LT 194.165.17.192:6892 udp
LT 194.165.17.193:6892 udp
LT 194.165.17.194:6892 udp
LT 194.165.17.195:6892 udp
LT 194.165.17.196:6892 udp
LT 194.165.17.197:6892 udp
LT 194.165.17.198:6892 udp
LT 194.165.17.199:6892 udp
LT 194.165.17.200:6892 udp
LT 194.165.17.201:6892 udp
LT 194.165.17.202:6892 udp
LT 194.165.17.203:6892 udp
LT 194.165.17.204:6892 udp
LT 194.165.17.205:6892 udp
LT 194.165.17.206:6892 udp
LT 194.165.17.207:6892 udp
LT 194.165.17.208:6892 udp
LT 194.165.17.209:6892 udp
LT 194.165.17.210:6892 udp
LT 194.165.17.211:6892 udp
LT 194.165.17.212:6892 udp
LT 194.165.17.213:6892 udp
LT 194.165.17.214:6892 udp
LT 194.165.17.215:6892 udp
LT 194.165.17.216:6892 udp
LT 194.165.17.217:6892 udp
LT 194.165.17.218:6892 udp
LT 194.165.17.219:6892 udp
LT 194.165.17.220:6892 udp
LT 194.165.17.221:6892 udp
LT 194.165.17.222:6892 udp
LT 194.165.17.223:6892 udp
LT 194.165.17.224:6892 udp
LT 194.165.17.225:6892 udp
LT 194.165.17.226:6892 udp
LT 194.165.17.227:6892 udp
LT 194.165.17.228:6892 udp
LT 194.165.17.229:6892 udp
LT 194.165.17.230:6892 udp
LT 194.165.17.231:6892 udp
LT 194.165.17.232:6892 udp
LT 194.165.17.233:6892 udp
LT 194.165.17.234:6892 udp
LT 194.165.17.235:6892 udp
LT 194.165.17.236:6892 udp
LT 194.165.17.237:6892 udp
LT 194.165.17.238:6892 udp
LT 194.165.17.239:6892 udp
LT 194.165.17.240:6892 udp
LT 194.165.17.241:6892 udp
LT 194.165.17.242:6892 udp
LT 194.165.17.243:6892 udp
LT 194.165.17.244:6892 udp
LT 194.165.17.245:6892 udp
LT 194.165.17.246:6892 udp
LT 194.165.17.247:6892 udp
LT 194.165.17.248:6892 udp
LT 194.165.17.249:6892 udp
LT 194.165.17.250:6892 udp
LT 194.165.17.251:6892 udp
LT 194.165.17.252:6892 udp
LT 194.165.17.253:6892 udp
LT 194.165.17.254:6892 udp
LT 194.165.17.255:6892 udp
N/A 192.168.0.0:6892 udp
N/A 192.168.0.1:6892 udp
N/A 192.168.0.2:6892 udp
N/A 192.168.0.3:6892 udp
N/A 192.168.0.4:6892 udp
N/A 192.168.0.5:6892 udp
N/A 192.168.0.6:6892 udp
N/A 192.168.0.7:6892 udp
N/A 192.168.0.8:6892 udp
N/A 192.168.0.9:6892 udp
N/A 192.168.0.10:6892 udp
N/A 192.168.0.11:6892 udp
N/A 192.168.0.12:6892 udp
N/A 192.168.0.13:6892 udp
N/A 192.168.0.14:6892 udp
N/A 192.168.0.15:6892 udp
N/A 192.168.0.16:6892 udp
N/A 192.168.0.17:6892 udp
N/A 192.168.0.18:6892 udp
N/A 192.168.0.19:6892 udp
N/A 192.168.0.20:6892 udp
N/A 192.168.0.21:6892 udp
N/A 192.168.0.22:6892 udp
N/A 192.168.0.23:6892 udp
N/A 192.168.0.24:6892 udp
N/A 192.168.0.25:6892 udp
N/A 192.168.0.26:6892 udp
N/A 192.168.0.27:6892 udp
N/A 192.168.0.28:6892 udp
N/A 192.168.0.29:6892 udp
N/A 192.168.0.30:6892 udp
N/A 192.168.0.31:6892 udp
LT 194.165.16.0:6892 udp
LT 194.165.16.1:6892 udp
LT 194.165.16.2:6892 udp
LT 194.165.16.3:6892 udp
LT 194.165.16.4:6892 udp
LT 194.165.16.5:6892 udp
LT 194.165.16.6:6892 udp
LT 194.165.16.7:6892 udp
LT 194.165.16.8:6892 udp
LT 194.165.16.9:6892 udp
LT 194.165.16.10:6892 udp
LT 194.165.16.11:6892 udp
LT 194.165.16.12:6892 udp
LT 194.165.16.13:6892 udp
LT 194.165.16.14:6892 udp
LT 194.165.16.15:6892 udp
LT 194.165.16.16:6892 udp
LT 194.165.16.17:6892 udp
LT 194.165.16.18:6892 udp
LT 194.165.16.19:6892 udp
LT 194.165.16.20:6892 udp
LT 194.165.16.21:6892 udp
LT 194.165.16.22:6892 udp
LT 194.165.16.23:6892 udp
LT 194.165.16.24:6892 udp
LT 194.165.16.25:6892 udp
LT 194.165.16.26:6892 udp
LT 194.165.16.27:6892 udp
LT 194.165.16.28:6892 udp
LT 194.165.16.29:6892 udp
LT 194.165.16.30:6892 udp
LT 194.165.16.31:6892 udp
LT 194.165.16.32:6892 udp
LT 194.165.16.33:6892 udp
LT 194.165.16.34:6892 udp
LT 194.165.16.35:6892 udp
LT 194.165.16.36:6892 udp
LT 194.165.16.37:6892 udp
LT 194.165.16.38:6892 udp
LT 194.165.16.39:6892 udp
LT 194.165.16.40:6892 udp
LT 194.165.16.41:6892 udp
LT 194.165.16.42:6892 udp
LT 194.165.16.43:6892 udp
LT 194.165.16.44:6892 udp
LT 194.165.16.45:6892 udp
LT 194.165.16.46:6892 udp
LT 194.165.16.47:6892 udp
LT 194.165.16.48:6892 udp
LT 194.165.16.49:6892 udp
LT 194.165.16.50:6892 udp
LT 194.165.16.51:6892 udp
LT 194.165.16.52:6892 udp
LT 194.165.16.53:6892 udp
LT 194.165.16.54:6892 udp
LT 194.165.16.55:6892 udp
LT 194.165.16.56:6892 udp
LT 194.165.16.57:6892 udp
LT 194.165.16.58:6892 udp
LT 194.165.16.59:6892 udp
LT 194.165.16.60:6892 udp
LT 194.165.16.61:6892 udp
LT 194.165.16.62:6892 udp
LT 194.165.16.63:6892 udp
LT 194.165.16.64:6892 udp
LT 194.165.16.65:6892 udp
LT 194.165.16.66:6892 udp
LT 194.165.16.67:6892 udp
LT 194.165.16.68:6892 udp
LT 194.165.16.69:6892 udp
LT 194.165.16.70:6892 udp
LT 194.165.16.71:6892 udp
LT 194.165.16.72:6892 udp
LT 194.165.16.73:6892 udp
LT 194.165.16.74:6892 udp
LT 194.165.16.75:6892 udp
LT 194.165.16.76:6892 udp
LT 194.165.16.77:6892 udp
LT 194.165.16.78:6892 udp
LT 194.165.16.79:6892 udp
LT 194.165.16.80:6892 udp
LT 194.165.16.81:6892 udp
LT 194.165.16.82:6892 udp
LT 194.165.16.83:6892 udp
LT 194.165.16.84:6892 udp
LT 194.165.16.85:6892 udp
LT 194.165.16.86:6892 udp
LT 194.165.16.87:6892 udp
LT 194.165.16.88:6892 udp
LT 194.165.16.89:6892 udp
LT 194.165.16.90:6892 udp
LT 194.165.16.91:6892 udp
LT 194.165.16.92:6892 udp
LT 194.165.16.93:6892 udp
LT 194.165.16.94:6892 udp
LT 194.165.16.95:6892 udp
LT 194.165.16.96:6892 udp
LT 194.165.16.97:6892 udp
LT 194.165.16.98:6892 udp
LT 194.165.16.99:6892 udp
LT 194.165.16.100:6892 udp
LT 194.165.16.101:6892 udp
LT 194.165.16.102:6892 udp
LT 194.165.16.103:6892 udp
LT 194.165.16.104:6892 udp
LT 194.165.16.105:6892 udp
LT 194.165.16.106:6892 udp
LT 194.165.16.107:6892 udp
LT 194.165.16.108:6892 udp
LT 194.165.16.109:6892 udp
LT 194.165.16.110:6892 udp
LT 194.165.16.111:6892 udp
LT 194.165.16.112:6892 udp
LT 194.165.16.113:6892 udp
LT 194.165.16.114:6892 udp
LT 194.165.16.115:6892 udp
LT 194.165.16.116:6892 udp
LT 194.165.16.117:6892 udp
LT 194.165.16.118:6892 udp
LT 194.165.16.119:6892 udp
LT 194.165.16.120:6892 udp
LT 194.165.16.121:6892 udp
LT 194.165.16.122:6892 udp
LT 194.165.16.123:6892 udp
LT 194.165.16.124:6892 udp
LT 194.165.16.125:6892 udp
LT 194.165.16.126:6892 udp
LT 194.165.16.127:6892 udp
LT 194.165.16.128:6892 udp
LT 194.165.16.129:6892 udp
LT 194.165.16.130:6892 udp
LT 194.165.16.131:6892 udp
LT 194.165.16.132:6892 udp
LT 194.165.16.133:6892 udp
LT 194.165.16.134:6892 udp
LT 194.165.16.135:6892 udp
LT 194.165.16.136:6892 udp
LT 194.165.16.137:6892 udp
LT 194.165.16.138:6892 udp
LT 194.165.16.139:6892 udp
LT 194.165.16.140:6892 udp
LT 194.165.16.141:6892 udp
LT 194.165.16.142:6892 udp
LT 194.165.16.143:6892 udp
LT 194.165.16.144:6892 udp
LT 194.165.16.145:6892 udp
LT 194.165.16.146:6892 udp
LT 194.165.16.147:6892 udp
LT 194.165.16.148:6892 udp
LT 194.165.16.149:6892 udp
LT 194.165.16.150:6892 udp
LT 194.165.16.151:6892 udp
LT 194.165.16.152:6892 udp
LT 194.165.16.153:6892 udp
LT 194.165.16.154:6892 udp
LT 194.165.16.155:6892 udp
LT 194.165.16.156:6892 udp
LT 194.165.16.157:6892 udp
LT 194.165.16.158:6892 udp
LT 194.165.16.159:6892 udp
LT 194.165.16.160:6892 udp
LT 194.165.16.161:6892 udp
LT 194.165.16.162:6892 udp
LT 194.165.16.163:6892 udp
LT 194.165.16.164:6892 udp
LT 194.165.16.165:6892 udp
LT 194.165.16.166:6892 udp
LT 194.165.16.167:6892 udp
LT 194.165.16.168:6892 udp
LT 194.165.16.169:6892 udp
LT 194.165.16.170:6892 udp
LT 194.165.16.171:6892 udp
LT 194.165.16.172:6892 udp
LT 194.165.16.173:6892 udp
LT 194.165.16.174:6892 udp
LT 194.165.16.175:6892 udp
LT 194.165.16.176:6892 udp
LT 194.165.16.177:6892 udp
LT 194.165.16.178:6892 udp
LT 194.165.16.179:6892 udp
LT 194.165.16.180:6892 udp
LT 194.165.16.181:6892 udp
LT 194.165.16.182:6892 udp
LT 194.165.16.183:6892 udp
LT 194.165.16.184:6892 udp
LT 194.165.16.185:6892 udp
LT 194.165.16.186:6892 udp
LT 194.165.16.187:6892 udp
LT 194.165.16.188:6892 udp
LT 194.165.16.189:6892 udp
LT 194.165.16.190:6892 udp
LT 194.165.16.191:6892 udp
LT 194.165.16.192:6892 udp
LT 194.165.16.193:6892 udp
LT 194.165.16.194:6892 udp
LT 194.165.16.195:6892 udp
LT 194.165.16.196:6892 udp
LT 194.165.16.197:6892 udp
LT 194.165.16.198:6892 udp
LT 194.165.16.199:6892 udp
LT 194.165.16.200:6892 udp
LT 194.165.16.201:6892 udp
LT 194.165.16.202:6892 udp
LT 194.165.16.203:6892 udp
LT 194.165.16.204:6892 udp
LT 194.165.16.205:6892 udp
LT 194.165.16.206:6892 udp
LT 194.165.16.207:6892 udp
LT 194.165.16.208:6892 udp
LT 194.165.16.209:6892 udp
LT 194.165.16.210:6892 udp
LT 194.165.16.211:6892 udp
LT 194.165.16.212:6892 udp
LT 194.165.16.213:6892 udp
LT 194.165.16.214:6892 udp
LT 194.165.16.215:6892 udp
LT 194.165.16.216:6892 udp
LT 194.165.16.217:6892 udp
LT 194.165.16.218:6892 udp
LT 194.165.16.219:6892 udp
LT 194.165.16.220:6892 udp
LT 194.165.16.221:6892 udp
LT 194.165.16.222:6892 udp
LT 194.165.16.223:6892 udp
LT 194.165.16.224:6892 udp
LT 194.165.16.225:6892 udp
LT 194.165.16.226:6892 udp
LT 194.165.16.227:6892 udp
LT 194.165.16.228:6892 udp
LT 194.165.16.229:6892 udp
LT 194.165.16.230:6892 udp
LT 194.165.16.231:6892 udp
LT 194.165.16.232:6892 udp
LT 194.165.16.233:6892 udp
LT 194.165.16.234:6892 udp
LT 194.165.16.235:6892 udp
LT 194.165.16.236:6892 udp
LT 194.165.16.237:6892 udp
LT 194.165.16.238:6892 udp
LT 194.165.16.239:6892 udp
LT 194.165.16.240:6892 udp
LT 194.165.16.241:6892 udp
LT 194.165.16.242:6892 udp
LT 194.165.16.243:6892 udp
LT 194.165.16.244:6892 udp
LT 194.165.16.245:6892 udp
LT 194.165.16.246:6892 udp
LT 194.165.16.247:6892 udp
LT 194.165.16.248:6892 udp
LT 194.165.16.249:6892 udp
LT 194.165.16.250:6892 udp
LT 194.165.16.251:6892 udp
LT 194.165.16.252:6892 udp
LT 194.165.16.253:6892 udp
LT 194.165.16.254:6892 udp
N/A 127.0.0.0:6892 udp
N/A 127.0.0.1:6892 udp
N/A 127.0.0.2:6892 udp
N/A 127.0.0.3:6892 udp
N/A 127.0.0.4:6892 udp
N/A 127.0.0.5:6892 udp
N/A 127.0.0.6:6892 udp
N/A 127.0.0.7:6892 udp
N/A 127.0.0.8:6892 udp
N/A 127.0.0.9:6892 udp
N/A 127.0.0.10:6892 udp
N/A 127.0.0.11:6892 udp
N/A 127.0.0.12:6892 udp
N/A 127.0.0.13:6892 udp
N/A 127.0.0.14:6892 udp
N/A 127.0.0.15:6892 udp
N/A 127.0.0.16:6892 udp
N/A 127.0.0.17:6892 udp
N/A 127.0.0.18:6892 udp
N/A 127.0.0.19:6892 udp
N/A 127.0.0.20:6892 udp
N/A 127.0.0.21:6892 udp
N/A 127.0.0.22:6892 udp
N/A 127.0.0.23:6892 udp
N/A 127.0.0.24:6892 udp
N/A 127.0.0.25:6892 udp
N/A 127.0.0.26:6892 udp
N/A 127.0.0.27:6892 udp
N/A 127.0.0.28:6892 udp
N/A 127.0.0.29:6892 udp
N/A 127.0.0.30:6892 udp
N/A 127.0.0.31:6892 udp
LT 194.165.16.255:6892 udp
LT 194.165.17.0:6892 udp
LT 194.165.17.1:6892 udp
LT 194.165.17.2:6892 udp
LT 194.165.17.3:6892 udp
LT 194.165.17.4:6892 udp
LT 194.165.17.5:6892 udp
LT 194.165.17.6:6892 udp
LT 194.165.17.7:6892 udp
LT 194.165.17.8:6892 udp
LT 194.165.17.9:6892 udp
LT 194.165.17.10:6892 udp
LT 194.165.17.11:6892 udp
LT 194.165.17.12:6892 udp
LT 194.165.17.13:6892 udp
LT 194.165.17.14:6892 udp
LT 194.165.17.15:6892 udp
LT 194.165.17.16:6892 udp
LT 194.165.17.17:6892 udp
LT 194.165.17.18:6892 udp
LT 194.165.17.19:6892 udp
LT 194.165.17.20:6892 udp
LT 194.165.17.21:6892 udp
LT 194.165.17.22:6892 udp
LT 194.165.17.23:6892 udp
LT 194.165.17.24:6892 udp
LT 194.165.17.25:6892 udp
LT 194.165.17.26:6892 udp
LT 194.165.17.27:6892 udp
LT 194.165.17.28:6892 udp
LT 194.165.17.29:6892 udp
LT 194.165.17.30:6892 udp
LT 194.165.17.31:6892 udp
LT 194.165.17.32:6892 udp
LT 194.165.17.33:6892 udp
LT 194.165.17.34:6892 udp
LT 194.165.17.35:6892 udp
LT 194.165.17.36:6892 udp
LT 194.165.17.37:6892 udp
LT 194.165.17.38:6892 udp
LT 194.165.17.39:6892 udp
LT 194.165.17.40:6892 udp
LT 194.165.17.41:6892 udp
LT 194.165.17.42:6892 udp
LT 194.165.17.43:6892 udp
LT 194.165.17.44:6892 udp
LT 194.165.17.45:6892 udp
LT 194.165.17.46:6892 udp
LT 194.165.17.47:6892 udp
LT 194.165.17.48:6892 udp
LT 194.165.17.49:6892 udp
LT 194.165.17.50:6892 udp
LT 194.165.17.51:6892 udp
LT 194.165.17.52:6892 udp
LT 194.165.17.53:6892 udp
LT 194.165.17.54:6892 udp
LT 194.165.17.55:6892 udp
LT 194.165.17.56:6892 udp
LT 194.165.17.57:6892 udp
LT 194.165.17.58:6892 udp
LT 194.165.17.59:6892 udp
LT 194.165.17.60:6892 udp
LT 194.165.17.61:6892 udp
LT 194.165.17.62:6892 udp
LT 194.165.17.63:6892 udp
LT 194.165.17.64:6892 udp
LT 194.165.17.65:6892 udp
LT 194.165.17.66:6892 udp
LT 194.165.17.67:6892 udp
LT 194.165.17.68:6892 udp
LT 194.165.17.69:6892 udp
LT 194.165.17.70:6892 udp
LT 194.165.17.71:6892 udp
LT 194.165.17.72:6892 udp
LT 194.165.17.73:6892 udp
LT 194.165.17.74:6892 udp
LT 194.165.17.75:6892 udp
LT 194.165.17.76:6892 udp
LT 194.165.17.77:6892 udp
LT 194.165.17.78:6892 udp
LT 194.165.17.79:6892 udp
LT 194.165.17.80:6892 udp
LT 194.165.17.81:6892 udp
LT 194.165.17.82:6892 udp
LT 194.165.17.83:6892 udp
LT 194.165.17.84:6892 udp
LT 194.165.17.85:6892 udp
LT 194.165.17.86:6892 udp
LT 194.165.17.87:6892 udp
LT 194.165.17.88:6892 udp
LT 194.165.17.89:6892 udp
LT 194.165.17.90:6892 udp
LT 194.165.17.91:6892 udp
LT 194.165.17.92:6892 udp
LT 194.165.17.93:6892 udp
LT 194.165.17.94:6892 udp
LT 194.165.17.95:6892 udp
LT 194.165.17.96:6892 udp
LT 194.165.17.97:6892 udp
LT 194.165.17.98:6892 udp
LT 194.165.17.99:6892 udp
LT 194.165.17.100:6892 udp
LT 194.165.17.101:6892 udp
LT 194.165.17.102:6892 udp
LT 194.165.17.103:6892 udp
LT 194.165.17.104:6892 udp
LT 194.165.17.105:6892 udp
LT 194.165.17.106:6892 udp
LT 194.165.17.107:6892 udp
LT 194.165.17.108:6892 udp
LT 194.165.17.109:6892 udp
LT 194.165.17.110:6892 udp
LT 194.165.17.111:6892 udp
LT 194.165.17.112:6892 udp
LT 194.165.17.113:6892 udp
LT 194.165.17.114:6892 udp
LT 194.165.17.115:6892 udp
LT 194.165.17.116:6892 udp
LT 194.165.17.117:6892 udp
LT 194.165.17.118:6892 udp
LT 194.165.17.119:6892 udp
LT 194.165.17.120:6892 udp
LT 194.165.17.121:6892 udp
LT 194.165.17.122:6892 udp
LT 194.165.17.123:6892 udp
LT 194.165.17.124:6892 udp
LT 194.165.17.125:6892 udp
LT 194.165.17.126:6892 udp
LT 194.165.17.127:6892 udp
LT 194.165.17.128:6892 udp
LT 194.165.17.129:6892 udp
LT 194.165.17.130:6892 udp
LT 194.165.17.131:6892 udp
LT 194.165.17.132:6892 udp
LT 194.165.17.133:6892 udp
LT 194.165.17.134:6892 udp
LT 194.165.17.135:6892 udp
LT 194.165.17.136:6892 udp
LT 194.165.17.137:6892 udp
LT 194.165.17.138:6892 udp
LT 194.165.17.139:6892 udp
LT 194.165.17.140:6892 udp
LT 194.165.17.141:6892 udp
LT 194.165.17.142:6892 udp
LT 194.165.17.143:6892 udp
LT 194.165.17.144:6892 udp
LT 194.165.17.145:6892 udp
LT 194.165.17.146:6892 udp
LT 194.165.17.147:6892 udp
LT 194.165.17.148:6892 udp
LT 194.165.17.149:6892 udp
LT 194.165.17.150:6892 udp
LT 194.165.17.151:6892 udp
LT 194.165.17.152:6892 udp
LT 194.165.17.153:6892 udp
LT 194.165.17.154:6892 udp
LT 194.165.17.155:6892 udp
LT 194.165.17.156:6892 udp
LT 194.165.17.157:6892 udp
LT 194.165.17.158:6892 udp
LT 194.165.17.159:6892 udp
LT 194.165.17.160:6892 udp
LT 194.165.17.161:6892 udp
LT 194.165.17.162:6892 udp
LT 194.165.17.163:6892 udp
LT 194.165.17.164:6892 udp
LT 194.165.17.165:6892 udp
LT 194.165.17.166:6892 udp
LT 194.165.17.167:6892 udp
LT 194.165.17.168:6892 udp
LT 194.165.17.169:6892 udp
LT 194.165.17.170:6892 udp
LT 194.165.17.171:6892 udp
LT 194.165.17.172:6892 udp
LT 194.165.17.173:6892 udp
LT 194.165.17.174:6892 udp
LT 194.165.17.175:6892 udp
LT 194.165.17.176:6892 udp
LT 194.165.17.177:6892 udp
LT 194.165.17.178:6892 udp
LT 194.165.17.179:6892 udp
LT 194.165.17.180:6892 udp
LT 194.165.17.181:6892 udp
LT 194.165.17.182:6892 udp
LT 194.165.17.183:6892 udp
LT 194.165.17.184:6892 udp
LT 194.165.17.185:6892 udp
LT 194.165.17.186:6892 udp
LT 194.165.17.187:6892 udp
LT 194.165.17.188:6892 udp
LT 194.165.17.189:6892 udp
LT 194.165.17.190:6892 udp
LT 194.165.17.191:6892 udp
LT 194.165.17.192:6892 udp
LT 194.165.17.193:6892 udp
LT 194.165.17.194:6892 udp
LT 194.165.17.195:6892 udp
LT 194.165.17.196:6892 udp
LT 194.165.17.197:6892 udp
LT 194.165.17.198:6892 udp
LT 194.165.17.199:6892 udp
LT 194.165.17.200:6892 udp
LT 194.165.17.201:6892 udp
LT 194.165.17.202:6892 udp
LT 194.165.17.203:6892 udp
LT 194.165.17.204:6892 udp
LT 194.165.17.205:6892 udp
LT 194.165.17.206:6892 udp
LT 194.165.17.207:6892 udp
LT 194.165.17.208:6892 udp
LT 194.165.17.209:6892 udp
LT 194.165.17.210:6892 udp
LT 194.165.17.211:6892 udp
LT 194.165.17.212:6892 udp
LT 194.165.17.213:6892 udp
LT 194.165.17.214:6892 udp
LT 194.165.17.215:6892 udp
LT 194.165.17.216:6892 udp
LT 194.165.17.217:6892 udp
LT 194.165.17.218:6892 udp
LT 194.165.17.219:6892 udp
LT 194.165.17.220:6892 udp
LT 194.165.17.221:6892 udp
LT 194.165.17.222:6892 udp
LT 194.165.17.223:6892 udp
LT 194.165.17.224:6892 udp
LT 194.165.17.225:6892 udp
LT 194.165.17.226:6892 udp
LT 194.165.17.227:6892 udp
LT 194.165.17.228:6892 udp
LT 194.165.17.229:6892 udp
LT 194.165.17.230:6892 udp
LT 194.165.17.231:6892 udp
LT 194.165.17.232:6892 udp
LT 194.165.17.233:6892 udp
LT 194.165.17.234:6892 udp
LT 194.165.17.235:6892 udp
LT 194.165.17.236:6892 udp
LT 194.165.17.237:6892 udp
LT 194.165.17.238:6892 udp
LT 194.165.17.239:6892 udp
LT 194.165.17.240:6892 udp
LT 194.165.17.241:6892 udp
LT 194.165.17.242:6892 udp
LT 194.165.17.243:6892 udp
LT 194.165.17.244:6892 udp
LT 194.165.17.245:6892 udp
LT 194.165.17.246:6892 udp
LT 194.165.17.247:6892 udp
LT 194.165.17.248:6892 udp
LT 194.165.17.249:6892 udp
LT 194.165.17.250:6892 udp
LT 194.165.17.251:6892 udp
LT 194.165.17.252:6892 udp
LT 194.165.17.253:6892 udp
LT 194.165.17.254:6892 udp
LT 194.165.17.255:6892 udp
US 8.8.8.8:53 avsxrcoq2q5fgrw2.9mu6vk.top udp
US 8.8.8.8:53 btc.blockr.io udp
US 8.8.8.8:53 api.blockcypher.com udp
US 104.20.98.10:80 api.blockcypher.com tcp
US 8.8.8.8:53 chain.so udp
US 172.67.40.90:443 chain.so tcp

Files

\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

memory/1760-11-0x00000000003C0000-0x00000000003ED000-memory.dmp

memory/2664-13-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2664-15-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2664-16-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2664-21-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2664-22-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1760-24-0x00000000003C0000-0x00000000003ED000-memory.dmp

memory/2664-25-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2664-27-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2664-26-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\Pictures\_README_.hta

MD5 2d1e6a29ba1380cba775d03d10e40937
SHA1 464e9b865800ea96f9695ec6d0ae555ff7927bf3
SHA256 566fffb2357b35d01eca9e2c01590906e3541c67b996aa7df824a3a5540609a1
SHA512 82010207480f589bf65d56fdde5f647ab1353dfd181986f4f1091b803c33e1b2d8555724944582df8fc61b68c7b134a19f73e16e69c6b7a176cc99ed94148253

memory/2664-299-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2664-305-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2664-316-0x0000000000400000-0x0000000000432000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 18:04

Reported

2024-05-13 18:06

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3c23060bff44df650a2def69bf0733a7_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2680 -ip 2680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 864

Network

Country Destination Domain Proto
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\nsz52C4.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

memory/2680-10-0x0000000002180000-0x00000000021AD000-memory.dmp

memory/2680-12-0x0000000002180000-0x00000000021AD000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-13 18:04

Reported

2024-05-13 18:06

Platform

win10v2004-20240508-en

Max time kernel

120s

Max time network

93s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4044 wrote to memory of 1488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4044 wrote to memory of 1488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4044 wrote to memory of 1488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-13 18:04

Reported

2024-05-13 18:06

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 e4cd221c4e43b554715b0a8a57434a46
SHA1 4f07d920d8fe3bd614cc229f114b312f26013880
SHA256 16a3798c80a0dd793b583892535687b0ce2e10ff10675ae159fe6d42fa17aeea
SHA512 ef54ddaab0ac420fe868d089a1f8d08134802bcf192070ad1e87236836d5c5a04037daf6f862d7c9b116b3863347969cc0fa1ee76260eb4621760015900e6725

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-13 18:04

Reported

2024-05-13 18:06

Platform

win10v2004-20240508-en

Max time kernel

128s

Max time network

139s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\store.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\store.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3400,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=2716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3748,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5296,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5352 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5300,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5440 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=5744,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5692 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5640,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3948,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4192 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 astore.amazon.com udp
US 8.8.8.8:53 astore.amazon.com udp
US 8.8.8.8:53 astore.amazon.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 176.32.98.40:80 astore.amazon.com tcp
NL 2.18.121.10:443 bzib.nelreports.net tcp
US 8.8.8.8:53 rcm.amazon.com udp
US 8.8.8.8:53 rcm.amazon.com udp
US 8.8.8.8:53 www.jjtc.com udp
US 8.8.8.8:53 www.jjtc.com udp
US 176.32.98.40:80 astore.amazon.com tcp
US 8.8.8.8:53 rcm.amazon.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 67.20.76.247:80 www.jjtc.com tcp
US 8.8.8.8:53 g-ecx.images-amazon.com udp
US 8.8.8.8:53 g-ecx.images-amazon.com udp
US 52.84.197.43:80 g-ecx.images-amazon.com tcp
US 67.20.76.247:80 www.jjtc.com tcp
US 8.8.8.8:53 www.jjtc.com udp
US 8.8.8.8:53 www.jjtc.com udp
US 67.20.76.247:443 www.jjtc.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 10.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 40.98.32.176.in-addr.arpa udp
US 8.8.8.8:53 206.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.197.84.52.in-addr.arpa udp
US 8.8.8.8:53 247.76.20.67.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.185:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.59:443 www.bing.com tcp
US 8.8.8.8:53 59.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-13 18:04

Reported

2024-05-13 18:06

Platform

win7-20231129-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\store.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{33629071-1153-11EF-888E-CA4C2FB69A12} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421785319" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d1b2f9d0e990d4e9712b8e5b490bb6c00000000020000000000106600000001000020000000d51c047a4651a91f3e5247d69240215d7c3a7e7b4ff0e92fd7bbb5b4b0482fc8000000000e80000000020000200000008e72ef4684366d06f5473db36a5c3ddde56b090f071122a776750bf2cdcfea4b200000002ba298a700b9fb72470c11669ed65568ef642169e031b7dd8f49f0602d5f824d400000008067dab742bff37c00cadf05ae7ab76cf1459cad37df6cf4b3dab827634550d74b171e02ade6515f9cfb53f3f5e0e5e5b88e7216586efbd757a46b22e6cd71f6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d1b2f9d0e990d4e9712b8e5b490bb6c000000000200000000001066000000010000200000008bf4329031183efa926a6e43495a2d2ac52272b1176226fd174b65fce599a805000000000e800000000200002000000007bdcc19b8e1860b361a3cdaf21b62122c2ea8f2048b834c8ece591649ac795890000000c78f864a793bd03c7a9c96adfedeb818a1fcd4b0014be859feafca7e523b9d3429ca1c8905bbb9c7405259d97944a86c1c1e8f65357e225384240e86626e349fd11cefcb1aa84f351b4a54ad4377ef323e90fc47c41bc47072dc91b321c3dcd5d9580848798a15558371764076bbf6cec1ec18c61b8478e16e038bb7eb91de6220c2e1b7665a7d23b9b3875df5dec02640000000996f519ce702724fe4c32dad3edd51103302112eccae5067f899bf5a6f1ee13175eb3e4a9d12802b39f64140d4237e195cdf0460bfa1e7912b57229768b49c39 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d030b30a60a5da01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\store.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1724 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 rcm.amazon.com udp
US 8.8.8.8:53 www.jjtc.com udp
US 67.20.76.247:80 www.jjtc.com tcp
US 67.20.76.247:80 www.jjtc.com tcp
US 8.8.8.8:53 astore.amazon.com udp
US 176.32.98.40:80 astore.amazon.com tcp
US 176.32.98.40:80 astore.amazon.com tcp
US 8.8.8.8:53 g-ecx.images-amazon.com udp
US 67.20.76.247:443 www.jjtc.com tcp
US 52.84.197.43:80 g-ecx.images-amazon.com tcp
US 52.84.197.43:80 g-ecx.images-amazon.com tcp
US 67.20.76.247:443 www.jjtc.com tcp
US 67.20.76.247:443 www.jjtc.com tcp
US 67.20.76.247:443 www.jjtc.com tcp
US 8.8.8.8:53 rcm.amazon.com udp
FR 172.217.20.206:80 www.google-analytics.com tcp
FR 172.217.20.206:80 www.google-analytics.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
NL 23.62.61.160:80 www.bing.com tcp
NL 23.62.61.160:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar42D0.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2a7a66dfbeb5a6e3226fa8515c3d775
SHA1 faa4839e06ccacb262173ec0813234556c05203e
SHA256 a9248b229b4292352a147e06fcbe30b1f21946dde8e1e720ae36302d7ece14cc
SHA512 3e2b8d0aed0f3e3651bec1ab8123e7286e331241b0b450257b08886bf8b5ee4838ecbb85fd24e0a0dcec222145bd61e339ae1635e3ec4689e0c851ed2cae029f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4bd8f532273f211b99f870401f3da0df
SHA1 71d20243cf6c05b20b9ad324ef2cb15268f47b77
SHA256 8444423caf264640a6129eac56da4c1cc7e66c5c268fefebba250b72c99a7642
SHA512 a0a4b4d1b28ec91db39133457242d22d3bb5b1503e085dd5175d5f189b591dd9922b30e5247aa575aee3541ad848de167e9ee0439c3859c544da020fe844f8f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 9862ac0596e2eab2d95a9e03fa7cf1f1
SHA1 7db78d80acc60244fdda785e96fb349546fd63e6
SHA256 0eac9d1054162dc89ea41509f9ee92d6cf189112249ee1c81d801c7cff3675fa
SHA512 eda3af1d2a80159cbb718e4b32cd2f92bfa589bb97aa9f4788a53ed31479ea5cdccd0662e95d41d86732dd6ce8c9d806dacae6eb362f8a66e3f7ab5973880fb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2349f58844f09d4551f925e8cfa23312
SHA1 67dc56b41a8f9be82eadeee1d2aef6583a79d604
SHA256 aa576aaf66df00ee90932f1b6c036d6040be2bf4daa71c3e72b38770679d2eee
SHA512 cb38eb6670b1d99d0fe6833c1a38d82e3d1f35a0ff01e156dbc58617322f99bf6b7ef462e569a78bdf4e89ae69e55a01b61631111a0802dd68571cd0419a46a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6f08ca2687895546a4ddf714c80422e
SHA1 80696e829a0105c22eda052c94b50a60a82daff5
SHA256 eee018bda5fd1dcff003bccb7bdb511422786cf6696e2a0e15f7766ce1bb247a
SHA512 172a688c2a7f2f71118c6d997f830b9ec9e56140290b1ef74b68d7df725e60e2d7b5bdced0f274378e7137fd1b5ad4a174ff29144e92635c00601922fc7f8df8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 3c533baf215268555666c4b49d06043e
SHA1 205bebae7b0f01d889c77f04346e79d341b128f9
SHA256 c99abb1093e0d9ae3463be69984032f7c048981fc3eebd995a10489f2f969b65
SHA512 23500e84746eac3d72bbcc2555f085abf294943a2b43c35c0af74701f683a80b997b91eb168393fdd1bf9d730dec362958ac48c9d92cf8c961258ddfb939aaa8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0bb77d83286a8bcba8fc4a1a1285e4cc
SHA1 7e8a3fd076b5460b9e67aea3b6cf70b435211f93
SHA256 0b739bc83a87a79dc8ac2b5cb68698e31f74b57240a3e787e07ad64caa5163db
SHA512 a6dedfad3a25e69793e4035edf557f48e6374427b86b65921741f3d1207a09eba83a75e5a1846cf4903bae1ed0138e4ecaac4118332b612b167df82fed611870

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d89d49f91daa857bcc69aefa56d55a5
SHA1 24c18effd61387d4324cbb15a7f4f75fbf34db63
SHA256 960af10e008b5ddeaa41b9b2bd5655a2dc958ba99e667ea64de9e8fe4d07a708
SHA512 2384c6711599b240f51efb97417c9bc1661792e4346a4284390523c65213897d116e1ca0a2b82439de5cabadede89b3385bab6523a727f11ef9bbf6aa5a609c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b1d8b2d59c4dc8f6468fb947dd258eb
SHA1 0f15a4054df4b71d29440fb24e4e846715af39cd
SHA256 bdfdc31e36067e3ca051d62c5d549729f72d0a2c2d96dacb0a3c252173c5dade
SHA512 567b73629e84e5c442270a752b99f4e94aa26f590990ba374c33073349fe724b4c8e04a2ee26688f8e8ec48d8233ca407bb262cdb285ff4d3d3bda2394fda5ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55b7e35c8dae545db63fef0442034382
SHA1 daa55d8717ba1aaac935411ac1692a962b40166b
SHA256 25c2267b2bace8eef49f5572a38e543ee7b8f71e66287822214f1ab66121ede9
SHA512 e93217fe83d629f0751b05e059d453785fbf921bbf82137c7074271cd85a47c8b16d2666ad22ef4b85bc0cdf9c807fc26da1dff94f330699c68902e8b6742285

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d3535eba0b4e6d06515f42ff77ff1c1
SHA1 069d92eba206bab917182739d82066832431b809
SHA256 0c9b1c5152644d280970e4db2b1fa7395d7543d0c1fdbf5a3c2a4f9951517368
SHA512 2625e3308c646ba44f203e978b08521e85e7b271c337e314ed2f181bf8b58b4f59f51ca24c9ffd6a84d69397909f5011f7404974d44b9a93314fe735b1b9beff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f063012c6fff6806a8f61f3e992c172
SHA1 c8c179dbf56d4c3fac6aca8072ac325bd140377a
SHA256 e0371a19598a49cd26f65ed372fdcb57b3b5cfa3f9989b74db5c0284681a1531
SHA512 2101051f8bf99da634b85caf2626c9c889e8aabb39153c2c52a3b6195bf99ec96fe80db82313088c455b2df5008d724d3dc3304148e57b190f5c8afca014de21

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be783c9a7b8a21560384ccc40b455cb7
SHA1 4a18565a999af68f9ff3728bdfcff316140b4053
SHA256 19499ae3cb02a5a8ca16d175c28347dc8f8bd0de889cbd2f0f2ae96f0c6055bd
SHA512 f2836702e299ef3b728f6950b8092d8a364fb2d6c88de67b117a0eae3fc958d8762e09ecd660619572a60fbeb6ad7840278df3a4a4a3e2e34b84565d0d94a933

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42e6a19ac7ad7d1f91764df572dc72b3
SHA1 1d43ffb43041df3b79186ecb95195614c94c633d
SHA256 d5df0ead445e4d0e59b0c0418f7d55a5c91b2b380b634dcd17eb296b5b384df8
SHA512 f4c3a09699acb7700ba6153db9bb95112c70b696cf81fb8e4cc6927ee66c113a541e4ab58bb260fac99b8b5d95dcd1644fe1c14fc0f73c1f18422c13658ffba9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 688ccdf70345fafe16544fc6d7b9aa98
SHA1 62a4c382cf102335bdcbab2e286081475c093f38
SHA256 f3c3e959d86f3ecca1d19cab629fce87461fcebaa326766b0b72237c91a1b884
SHA512 2a60d2adefcca5a844b4fcb0ee7c89fccdf24a553fef7f97119923903b4cc5e66b36d1992ed899fd67179d5f0ff24b58de375f6678f818a19f20186a58eab1c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb2b673ff7710acc4f55fbde7336ef52
SHA1 3dfff573e6726d625e449dc04cd4f71840654508
SHA256 1957cb94bd0b3cae93241471b529c3bc65142e2d19d373eccde4ff864d86a6f5
SHA512 0997c15e0465c0ea0e2adbccf465954de80ca36dc0551c77fde9ce87e212953db93349a47fffb18a007788a952143c0952e2a0d064eb56775519a4f56c69355e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c92d917570ce4b17d6c1b175255e6a7
SHA1 5e95d5916d5201ff34d0cb3dda0d8b0dac9f9fc5
SHA256 d3e5087be29faee2ed11f7034e8e80b5c4d680c5913a9ca26c18060cc72d0f8f
SHA512 693c859c23e4da86ccc9065ca43539be447607e8e8ca920b02f7178d6a078b5d790e8a1edbf9ebbcca6ec512fc481ad8297a6ddc175a0b24f3813f3712616a98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 890c2884d8180935dafe77b7bf7c7361
SHA1 63fb5c9968131f73f1572026f3d952581e2ca48f
SHA256 16b0d8f1e0a14ba487577a4460127f8d8aa5ca5338505f9ea4fe3bea99218b43
SHA512 66455b13de9942afd43d01c8348560b730a87ff5d1d16fabbbfc24fc0d2d0eda9df14da7f45fe9804a8aa7527340a6b7be53cd30886c9b1c9b5ea9c3926f88c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d041736e73122b19ecf1681aa51fd141
SHA1 60c4db86bf19ca9ffd0404e44b66c5b077ebde28
SHA256 9eb93cba43e011022fce1e644c21f803f47fa374c11ff2bed3d4b8c41f413dd2
SHA512 65047c74dc0e739838aaba15f7f000640c21017f744baeafff9b150f7d7d5fcb159d2bf0a930b75086ddbc651d4445fe17411704a3dc1ed03c1d4d1c1bcb2448

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96aa73ddc1790a1a2b0974394a85927b
SHA1 5c0ccaf656609875ba7aa02b95b511c2165f7174
SHA256 7d9da573e0c5295437f03c576a56b6640b405a53256ecc15d88ed77ad51ed22e
SHA512 8916f8a65d83ab6ce88deaba44c326694b07735830376bd0692a78da443bdb88b8dfe83eb575287c7d350cbaa8a505f4d0898a1b5180ac1c9783b33571044b77

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-13 18:04

Reported

2024-05-13 18:06

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 224

Network

N/A

Files

N/A