Malware Analysis Report

2024-09-22 14:23

Sample ID 240517-d5dsqsfg58
Target 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118
SHA256 e6557f9c50233007a4eef28a54017e0052d511da2e9170e68c87532131d25aae
Tags
execution cerber defense_evasion discovery impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6557f9c50233007a4eef28a54017e0052d511da2e9170e68c87532131d25aae

Threat Level: Known bad

The file 4e411c2df17b88a85174574c5cdb51da_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

execution cerber defense_evasion discovery impact ransomware spyware stealer

Cerber

Deletes shadow copies

Blocklisted process makes network request

Contacts a large (519) amount of remote hosts

Deletes itself

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Drops file in Program Files directory

Program crash

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies system certificate store

Runs ping.exe

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Kills process with taskkill

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-17 03:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2724 wrote to memory of 852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2724 wrote to memory of 852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 852 -ip 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3732 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3732 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3732 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1988 -ip 1988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win7-20240221-en

Max time kernel

118s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\jqueryValidatorI18n.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\jqueryValidatorI18n.js

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win7-20231129-en

Max time kernel

120s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe"

Signatures

Cerber

ransomware cerber

Deletes shadow copies

ransomware defense_evasion impact execution

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Contacts a large (519) amount of remote hosts

discovery

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpAA05.bmp" C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_README_.hta C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Windows\SysWOW64\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Windows\SysWOW64\mshta.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Windows\SysWOW64\mshta.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe
PID 2392 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe
PID 2392 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe
PID 2392 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe
PID 2392 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe
PID 2392 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2392 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2392 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2392 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 1644 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1644 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1644 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1644 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2652 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2652 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2652 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 1644 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 1644 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 1644 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 1644 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 1644 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1644 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1644 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1644 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2020 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2020 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2020 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2020 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2020 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2020 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 440

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic.exe shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\_README_.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe"

C:\Windows\system32\PING.EXE

ping -n 1 127.0.0.1

Network

Country Destination Domain Proto
N/A 192.168.0.0:6892 udp
N/A 192.168.0.1:6892 udp
N/A 192.168.0.2:6892 udp
N/A 192.168.0.3:6892 udp
N/A 192.168.0.4:6892 udp
N/A 192.168.0.5:6892 udp
N/A 192.168.0.6:6892 udp
N/A 192.168.0.7:6892 udp
N/A 192.168.0.8:6892 udp
N/A 192.168.0.9:6892 udp
N/A 192.168.0.10:6892 udp
N/A 192.168.0.11:6892 udp
N/A 192.168.0.12:6892 udp
N/A 192.168.0.13:6892 udp
N/A 192.168.0.14:6892 udp
N/A 192.168.0.15:6892 udp
N/A 192.168.0.16:6892 udp
N/A 192.168.0.17:6892 udp
N/A 192.168.0.18:6892 udp
N/A 192.168.0.19:6892 udp
N/A 192.168.0.20:6892 udp
N/A 192.168.0.21:6892 udp
N/A 192.168.0.22:6892 udp
N/A 192.168.0.23:6892 udp
N/A 192.168.0.24:6892 udp
N/A 192.168.0.25:6892 udp
N/A 192.168.0.26:6892 udp
N/A 192.168.0.27:6892 udp
N/A 192.168.0.28:6892 udp
N/A 192.168.0.29:6892 udp
N/A 192.168.0.30:6892 udp
N/A 192.168.0.31:6892 udp
LT 194.165.16.0:6892 udp
LT 194.165.16.1:6892 udp
LT 194.165.16.2:6892 udp
LT 194.165.16.3:6892 udp
LT 194.165.16.4:6892 udp
LT 194.165.16.5:6892 udp
LT 194.165.16.6:6892 udp
LT 194.165.16.7:6892 udp
LT 194.165.16.8:6892 udp
LT 194.165.16.9:6892 udp
LT 194.165.16.10:6892 udp
LT 194.165.16.11:6892 udp
LT 194.165.16.12:6892 udp
LT 194.165.16.13:6892 udp
LT 194.165.16.14:6892 udp
LT 194.165.16.15:6892 udp
LT 194.165.16.16:6892 udp
LT 194.165.16.17:6892 udp
LT 194.165.16.18:6892 udp
LT 194.165.16.19:6892 udp
LT 194.165.16.20:6892 udp
LT 194.165.16.21:6892 udp
LT 194.165.16.22:6892 udp
LT 194.165.16.23:6892 udp
LT 194.165.16.24:6892 udp
LT 194.165.16.25:6892 udp
LT 194.165.16.26:6892 udp
LT 194.165.16.27:6892 udp
LT 194.165.16.28:6892 udp
LT 194.165.16.29:6892 udp
LT 194.165.16.30:6892 udp
LT 194.165.16.31:6892 udp
LT 194.165.16.32:6892 udp
LT 194.165.16.33:6892 udp
LT 194.165.16.34:6892 udp
LT 194.165.16.35:6892 udp
LT 194.165.16.36:6892 udp
LT 194.165.16.37:6892 udp
LT 194.165.16.38:6892 udp
LT 194.165.16.39:6892 udp
LT 194.165.16.40:6892 udp
LT 194.165.16.41:6892 udp
LT 194.165.16.42:6892 udp
LT 194.165.16.43:6892 udp
LT 194.165.16.44:6892 udp
LT 194.165.16.45:6892 udp
LT 194.165.16.46:6892 udp
LT 194.165.16.47:6892 udp
LT 194.165.16.48:6892 udp
LT 194.165.16.49:6892 udp
LT 194.165.16.50:6892 udp
LT 194.165.16.51:6892 udp
LT 194.165.16.52:6892 udp
LT 194.165.16.53:6892 udp
LT 194.165.16.54:6892 udp
LT 194.165.16.55:6892 udp
LT 194.165.16.56:6892 udp
LT 194.165.16.57:6892 udp
LT 194.165.16.58:6892 udp
LT 194.165.16.59:6892 udp
LT 194.165.16.60:6892 udp
LT 194.165.16.61:6892 udp
LT 194.165.16.62:6892 udp
LT 194.165.16.63:6892 udp
LT 194.165.16.64:6892 udp
LT 194.165.16.65:6892 udp
LT 194.165.16.66:6892 udp
LT 194.165.16.67:6892 udp
LT 194.165.16.68:6892 udp
LT 194.165.16.69:6892 udp
LT 194.165.16.70:6892 udp
LT 194.165.16.71:6892 udp
LT 194.165.16.72:6892 udp
LT 194.165.16.73:6892 udp
LT 194.165.16.74:6892 udp
LT 194.165.16.75:6892 udp
LT 194.165.16.76:6892 udp
LT 194.165.16.77:6892 udp
LT 194.165.16.78:6892 udp
LT 194.165.16.79:6892 udp
LT 194.165.16.80:6892 udp
LT 194.165.16.81:6892 udp
LT 194.165.16.82:6892 udp
LT 194.165.16.83:6892 udp
LT 194.165.16.84:6892 udp
LT 194.165.16.85:6892 udp
LT 194.165.16.86:6892 udp
LT 194.165.16.87:6892 udp
LT 194.165.16.88:6892 udp
LT 194.165.16.89:6892 udp
LT 194.165.16.90:6892 udp
LT 194.165.16.91:6892 udp
LT 194.165.16.92:6892 udp
LT 194.165.16.93:6892 udp
LT 194.165.16.94:6892 udp
LT 194.165.16.95:6892 udp
LT 194.165.16.96:6892 udp
LT 194.165.16.97:6892 udp
LT 194.165.16.98:6892 udp
LT 194.165.16.99:6892 udp
LT 194.165.16.100:6892 udp
LT 194.165.16.101:6892 udp
LT 194.165.16.102:6892 udp
LT 194.165.16.103:6892 udp
LT 194.165.16.104:6892 udp
LT 194.165.16.105:6892 udp
LT 194.165.16.106:6892 udp
LT 194.165.16.107:6892 udp
LT 194.165.16.108:6892 udp
LT 194.165.16.109:6892 udp
LT 194.165.16.110:6892 udp
LT 194.165.16.111:6892 udp
LT 194.165.16.112:6892 udp
LT 194.165.16.113:6892 udp
LT 194.165.16.114:6892 udp
LT 194.165.16.115:6892 udp
LT 194.165.16.116:6892 udp
LT 194.165.16.117:6892 udp
LT 194.165.16.118:6892 udp
LT 194.165.16.119:6892 udp
LT 194.165.16.120:6892 udp
LT 194.165.16.121:6892 udp
LT 194.165.16.122:6892 udp
LT 194.165.16.123:6892 udp
LT 194.165.16.124:6892 udp
LT 194.165.16.125:6892 udp
LT 194.165.16.126:6892 udp
LT 194.165.16.127:6892 udp
LT 194.165.16.128:6892 udp
LT 194.165.16.129:6892 udp
LT 194.165.16.130:6892 udp
LT 194.165.16.131:6892 udp
LT 194.165.16.132:6892 udp
LT 194.165.16.133:6892 udp
LT 194.165.16.134:6892 udp
LT 194.165.16.135:6892 udp
LT 194.165.16.136:6892 udp
LT 194.165.16.137:6892 udp
LT 194.165.16.138:6892 udp
LT 194.165.16.139:6892 udp
LT 194.165.16.140:6892 udp
LT 194.165.16.141:6892 udp
LT 194.165.16.142:6892 udp
LT 194.165.16.143:6892 udp
LT 194.165.16.144:6892 udp
LT 194.165.16.145:6892 udp
LT 194.165.16.146:6892 udp
LT 194.165.16.147:6892 udp
LT 194.165.16.148:6892 udp
LT 194.165.16.149:6892 udp
LT 194.165.16.150:6892 udp
LT 194.165.16.151:6892 udp
LT 194.165.16.152:6892 udp
LT 194.165.16.153:6892 udp
LT 194.165.16.154:6892 udp
LT 194.165.16.155:6892 udp
LT 194.165.16.156:6892 udp
LT 194.165.16.157:6892 udp
LT 194.165.16.158:6892 udp
LT 194.165.16.159:6892 udp
LT 194.165.16.160:6892 udp
LT 194.165.16.161:6892 udp
LT 194.165.16.162:6892 udp
LT 194.165.16.163:6892 udp
LT 194.165.16.164:6892 udp
LT 194.165.16.165:6892 udp
LT 194.165.16.166:6892 udp
LT 194.165.16.167:6892 udp
LT 194.165.16.168:6892 udp
LT 194.165.16.169:6892 udp
LT 194.165.16.170:6892 udp
LT 194.165.16.171:6892 udp
LT 194.165.16.172:6892 udp
LT 194.165.16.173:6892 udp
LT 194.165.16.174:6892 udp
LT 194.165.16.175:6892 udp
LT 194.165.16.176:6892 udp
LT 194.165.16.177:6892 udp
LT 194.165.16.178:6892 udp
LT 194.165.16.179:6892 udp
LT 194.165.16.180:6892 udp
LT 194.165.16.181:6892 udp
LT 194.165.16.182:6892 udp
LT 194.165.16.183:6892 udp
LT 194.165.16.184:6892 udp
LT 194.165.16.185:6892 udp
LT 194.165.16.186:6892 udp
LT 194.165.16.187:6892 udp
LT 194.165.16.188:6892 udp
LT 194.165.16.189:6892 udp
LT 194.165.16.190:6892 udp
LT 194.165.16.191:6892 udp
LT 194.165.16.192:6892 udp
LT 194.165.16.193:6892 udp
LT 194.165.16.194:6892 udp
LT 194.165.16.195:6892 udp
LT 194.165.16.196:6892 udp
LT 194.165.16.197:6892 udp
LT 194.165.16.198:6892 udp
LT 194.165.16.199:6892 udp
LT 194.165.16.200:6892 udp
LT 194.165.16.201:6892 udp
LT 194.165.16.202:6892 udp
LT 194.165.16.203:6892 udp
LT 194.165.16.204:6892 udp
LT 194.165.16.205:6892 udp
LT 194.165.16.206:6892 udp
LT 194.165.16.207:6892 udp
LT 194.165.16.208:6892 udp
LT 194.165.16.209:6892 udp
LT 194.165.16.210:6892 udp
LT 194.165.16.211:6892 udp
LT 194.165.16.212:6892 udp
LT 194.165.16.213:6892 udp
LT 194.165.16.214:6892 udp
LT 194.165.16.215:6892 udp
LT 194.165.16.216:6892 udp
LT 194.165.16.217:6892 udp
LT 194.165.16.218:6892 udp
LT 194.165.16.219:6892 udp
LT 194.165.16.220:6892 udp
LT 194.165.16.221:6892 udp
LT 194.165.16.222:6892 udp
LT 194.165.16.223:6892 udp
LT 194.165.16.224:6892 udp
LT 194.165.16.225:6892 udp
LT 194.165.16.226:6892 udp
LT 194.165.16.227:6892 udp
LT 194.165.16.228:6892 udp
LT 194.165.16.229:6892 udp
LT 194.165.16.230:6892 udp
LT 194.165.16.231:6892 udp
LT 194.165.16.232:6892 udp
LT 194.165.16.233:6892 udp
LT 194.165.16.234:6892 udp
LT 194.165.16.235:6892 udp
LT 194.165.16.236:6892 udp
LT 194.165.16.237:6892 udp
LT 194.165.16.238:6892 udp
LT 194.165.16.239:6892 udp
LT 194.165.16.240:6892 udp
LT 194.165.16.241:6892 udp
LT 194.165.16.242:6892 udp
LT 194.165.16.243:6892 udp
LT 194.165.16.244:6892 udp
LT 194.165.16.245:6892 udp
LT 194.165.16.246:6892 udp
LT 194.165.16.247:6892 udp
LT 194.165.16.248:6892 udp
LT 194.165.16.249:6892 udp
LT 194.165.16.250:6892 udp
LT 194.165.16.251:6892 udp
LT 194.165.16.252:6892 udp
LT 194.165.16.253:6892 udp
LT 194.165.16.254:6892 udp
N/A 127.0.0.0:6892 udp
N/A 127.0.0.1:6892 udp
N/A 127.0.0.2:6892 udp
N/A 127.0.0.3:6892 udp
N/A 127.0.0.4:6892 udp
N/A 127.0.0.5:6892 udp
N/A 127.0.0.6:6892 udp
N/A 127.0.0.7:6892 udp
N/A 127.0.0.8:6892 udp
N/A 127.0.0.9:6892 udp
N/A 127.0.0.10:6892 udp
N/A 127.0.0.11:6892 udp
N/A 127.0.0.12:6892 udp
N/A 127.0.0.13:6892 udp
N/A 127.0.0.14:6892 udp
N/A 127.0.0.15:6892 udp
N/A 127.0.0.16:6892 udp
N/A 127.0.0.17:6892 udp
N/A 127.0.0.18:6892 udp
N/A 127.0.0.19:6892 udp
N/A 127.0.0.20:6892 udp
N/A 127.0.0.21:6892 udp
N/A 127.0.0.22:6892 udp
N/A 127.0.0.23:6892 udp
N/A 127.0.0.24:6892 udp
N/A 127.0.0.25:6892 udp
N/A 127.0.0.26:6892 udp
N/A 127.0.0.27:6892 udp
N/A 127.0.0.28:6892 udp
N/A 127.0.0.29:6892 udp
N/A 127.0.0.30:6892 udp
N/A 127.0.0.31:6892 udp
LT 194.165.16.255:6892 udp
LT 194.165.17.0:6892 udp
LT 194.165.17.1:6892 udp
LT 194.165.17.2:6892 udp
LT 194.165.17.3:6892 udp
LT 194.165.17.4:6892 udp
LT 194.165.17.5:6892 udp
LT 194.165.17.6:6892 udp
LT 194.165.17.7:6892 udp
LT 194.165.17.8:6892 udp
LT 194.165.17.9:6892 udp
LT 194.165.17.10:6892 udp
LT 194.165.17.11:6892 udp
LT 194.165.17.12:6892 udp
LT 194.165.17.13:6892 udp
LT 194.165.17.14:6892 udp
LT 194.165.17.15:6892 udp
LT 194.165.17.16:6892 udp
LT 194.165.17.17:6892 udp
LT 194.165.17.18:6892 udp
LT 194.165.17.19:6892 udp
LT 194.165.17.20:6892 udp
LT 194.165.17.21:6892 udp
LT 194.165.17.22:6892 udp
LT 194.165.17.23:6892 udp
LT 194.165.17.24:6892 udp
LT 194.165.17.25:6892 udp
LT 194.165.17.26:6892 udp
LT 194.165.17.27:6892 udp
LT 194.165.17.28:6892 udp
LT 194.165.17.29:6892 udp
LT 194.165.17.30:6892 udp
LT 194.165.17.31:6892 udp
LT 194.165.17.32:6892 udp
LT 194.165.17.33:6892 udp
LT 194.165.17.34:6892 udp
LT 194.165.17.35:6892 udp
LT 194.165.17.36:6892 udp
LT 194.165.17.37:6892 udp
LT 194.165.17.38:6892 udp
LT 194.165.17.39:6892 udp
LT 194.165.17.40:6892 udp
LT 194.165.17.41:6892 udp
LT 194.165.17.42:6892 udp
LT 194.165.17.43:6892 udp
LT 194.165.17.44:6892 udp
LT 194.165.17.45:6892 udp
LT 194.165.17.46:6892 udp
LT 194.165.17.47:6892 udp
LT 194.165.17.48:6892 udp
LT 194.165.17.49:6892 udp
LT 194.165.17.50:6892 udp
LT 194.165.17.51:6892 udp
LT 194.165.17.52:6892 udp
LT 194.165.17.53:6892 udp
LT 194.165.17.54:6892 udp
LT 194.165.17.55:6892 udp
LT 194.165.17.56:6892 udp
LT 194.165.17.57:6892 udp
LT 194.165.17.58:6892 udp
LT 194.165.17.59:6892 udp
LT 194.165.17.60:6892 udp
LT 194.165.17.61:6892 udp
LT 194.165.17.62:6892 udp
LT 194.165.17.63:6892 udp
LT 194.165.17.64:6892 udp
LT 194.165.17.65:6892 udp
LT 194.165.17.66:6892 udp
LT 194.165.17.67:6892 udp
LT 194.165.17.68:6892 udp
LT 194.165.17.69:6892 udp
LT 194.165.17.70:6892 udp
LT 194.165.17.71:6892 udp
LT 194.165.17.72:6892 udp
LT 194.165.17.73:6892 udp
LT 194.165.17.74:6892 udp
LT 194.165.17.75:6892 udp
LT 194.165.17.76:6892 udp
LT 194.165.17.77:6892 udp
LT 194.165.17.78:6892 udp
LT 194.165.17.79:6892 udp
LT 194.165.17.80:6892 udp
LT 194.165.17.81:6892 udp
LT 194.165.17.82:6892 udp
LT 194.165.17.83:6892 udp
LT 194.165.17.84:6892 udp
LT 194.165.17.85:6892 udp
LT 194.165.17.86:6892 udp
LT 194.165.17.87:6892 udp
LT 194.165.17.88:6892 udp
LT 194.165.17.89:6892 udp
LT 194.165.17.90:6892 udp
LT 194.165.17.91:6892 udp
LT 194.165.17.92:6892 udp
LT 194.165.17.93:6892 udp
LT 194.165.17.94:6892 udp
LT 194.165.17.95:6892 udp
LT 194.165.17.96:6892 udp
LT 194.165.17.97:6892 udp
LT 194.165.17.98:6892 udp
LT 194.165.17.99:6892 udp
LT 194.165.17.100:6892 udp
LT 194.165.17.101:6892 udp
LT 194.165.17.102:6892 udp
LT 194.165.17.103:6892 udp
LT 194.165.17.104:6892 udp
LT 194.165.17.105:6892 udp
LT 194.165.17.106:6892 udp
LT 194.165.17.107:6892 udp
LT 194.165.17.108:6892 udp
LT 194.165.17.109:6892 udp
LT 194.165.17.110:6892 udp
LT 194.165.17.111:6892 udp
LT 194.165.17.112:6892 udp
LT 194.165.17.113:6892 udp
LT 194.165.17.114:6892 udp
LT 194.165.17.115:6892 udp
LT 194.165.17.116:6892 udp
LT 194.165.17.117:6892 udp
LT 194.165.17.118:6892 udp
LT 194.165.17.119:6892 udp
LT 194.165.17.120:6892 udp
LT 194.165.17.121:6892 udp
LT 194.165.17.122:6892 udp
LT 194.165.17.123:6892 udp
LT 194.165.17.124:6892 udp
LT 194.165.17.125:6892 udp
LT 194.165.17.126:6892 udp
LT 194.165.17.127:6892 udp
LT 194.165.17.128:6892 udp
LT 194.165.17.129:6892 udp
LT 194.165.17.130:6892 udp
LT 194.165.17.131:6892 udp
LT 194.165.17.132:6892 udp
LT 194.165.17.133:6892 udp
LT 194.165.17.134:6892 udp
LT 194.165.17.135:6892 udp
LT 194.165.17.136:6892 udp
LT 194.165.17.137:6892 udp
LT 194.165.17.138:6892 udp
LT 194.165.17.139:6892 udp
LT 194.165.17.140:6892 udp
LT 194.165.17.141:6892 udp
LT 194.165.17.142:6892 udp
LT 194.165.17.143:6892 udp
LT 194.165.17.144:6892 udp
LT 194.165.17.145:6892 udp
LT 194.165.17.146:6892 udp
LT 194.165.17.147:6892 udp
LT 194.165.17.148:6892 udp
LT 194.165.17.149:6892 udp
LT 194.165.17.150:6892 udp
LT 194.165.17.151:6892 udp
LT 194.165.17.152:6892 udp
LT 194.165.17.153:6892 udp
LT 194.165.17.154:6892 udp
LT 194.165.17.155:6892 udp
LT 194.165.17.156:6892 udp
LT 194.165.17.157:6892 udp
LT 194.165.17.158:6892 udp
LT 194.165.17.159:6892 udp
LT 194.165.17.160:6892 udp
LT 194.165.17.161:6892 udp
LT 194.165.17.162:6892 udp
LT 194.165.17.163:6892 udp
LT 194.165.17.164:6892 udp
LT 194.165.17.165:6892 udp
LT 194.165.17.166:6892 udp
LT 194.165.17.167:6892 udp
LT 194.165.17.168:6892 udp
LT 194.165.17.169:6892 udp
LT 194.165.17.170:6892 udp
LT 194.165.17.171:6892 udp
LT 194.165.17.172:6892 udp
LT 194.165.17.173:6892 udp
LT 194.165.17.174:6892 udp
LT 194.165.17.175:6892 udp
LT 194.165.17.176:6892 udp
LT 194.165.17.177:6892 udp
LT 194.165.17.178:6892 udp
LT 194.165.17.179:6892 udp
LT 194.165.17.180:6892 udp
LT 194.165.17.181:6892 udp
LT 194.165.17.182:6892 udp
LT 194.165.17.183:6892 udp
LT 194.165.17.184:6892 udp
LT 194.165.17.185:6892 udp
LT 194.165.17.186:6892 udp
LT 194.165.17.187:6892 udp
LT 194.165.17.188:6892 udp
LT 194.165.17.189:6892 udp
LT 194.165.17.190:6892 udp
LT 194.165.17.191:6892 udp
LT 194.165.17.192:6892 udp
LT 194.165.17.193:6892 udp
LT 194.165.17.194:6892 udp
LT 194.165.17.195:6892 udp
LT 194.165.17.196:6892 udp
LT 194.165.17.197:6892 udp
LT 194.165.17.198:6892 udp
LT 194.165.17.199:6892 udp
LT 194.165.17.200:6892 udp
LT 194.165.17.201:6892 udp
LT 194.165.17.202:6892 udp
LT 194.165.17.203:6892 udp
LT 194.165.17.204:6892 udp
LT 194.165.17.205:6892 udp
LT 194.165.17.206:6892 udp
LT 194.165.17.207:6892 udp
LT 194.165.17.208:6892 udp
LT 194.165.17.209:6892 udp
LT 194.165.17.210:6892 udp
LT 194.165.17.211:6892 udp
LT 194.165.17.212:6892 udp
LT 194.165.17.213:6892 udp
LT 194.165.17.214:6892 udp
LT 194.165.17.215:6892 udp
LT 194.165.17.216:6892 udp
LT 194.165.17.217:6892 udp
LT 194.165.17.218:6892 udp
LT 194.165.17.219:6892 udp
LT 194.165.17.220:6892 udp
LT 194.165.17.221:6892 udp
LT 194.165.17.222:6892 udp
LT 194.165.17.223:6892 udp
LT 194.165.17.224:6892 udp
LT 194.165.17.225:6892 udp
LT 194.165.17.226:6892 udp
LT 194.165.17.227:6892 udp
LT 194.165.17.228:6892 udp
LT 194.165.17.229:6892 udp
LT 194.165.17.230:6892 udp
LT 194.165.17.231:6892 udp
LT 194.165.17.232:6892 udp
LT 194.165.17.233:6892 udp
LT 194.165.17.234:6892 udp
LT 194.165.17.235:6892 udp
LT 194.165.17.236:6892 udp
LT 194.165.17.237:6892 udp
LT 194.165.17.238:6892 udp
LT 194.165.17.239:6892 udp
LT 194.165.17.240:6892 udp
LT 194.165.17.241:6892 udp
LT 194.165.17.242:6892 udp
LT 194.165.17.243:6892 udp
LT 194.165.17.244:6892 udp
LT 194.165.17.245:6892 udp
LT 194.165.17.246:6892 udp
LT 194.165.17.247:6892 udp
LT 194.165.17.248:6892 udp
LT 194.165.17.249:6892 udp
LT 194.165.17.250:6892 udp
LT 194.165.17.251:6892 udp
LT 194.165.17.252:6892 udp
LT 194.165.17.253:6892 udp
LT 194.165.17.254:6892 udp
LT 194.165.17.255:6892 udp
N/A 192.168.0.0:6892 udp
N/A 192.168.0.1:6892 udp
N/A 192.168.0.2:6892 udp
N/A 192.168.0.3:6892 udp
N/A 192.168.0.4:6892 udp
N/A 192.168.0.5:6892 udp
N/A 192.168.0.6:6892 udp
N/A 192.168.0.7:6892 udp
N/A 192.168.0.8:6892 udp
N/A 192.168.0.9:6892 udp
N/A 192.168.0.10:6892 udp
N/A 192.168.0.11:6892 udp
N/A 192.168.0.12:6892 udp
N/A 192.168.0.13:6892 udp
N/A 192.168.0.14:6892 udp
N/A 192.168.0.15:6892 udp
N/A 192.168.0.16:6892 udp
N/A 192.168.0.17:6892 udp
N/A 192.168.0.18:6892 udp
N/A 192.168.0.19:6892 udp
N/A 192.168.0.20:6892 udp
N/A 192.168.0.21:6892 udp
N/A 192.168.0.22:6892 udp
N/A 192.168.0.23:6892 udp
N/A 192.168.0.24:6892 udp
N/A 192.168.0.25:6892 udp
N/A 192.168.0.26:6892 udp
N/A 192.168.0.27:6892 udp
N/A 192.168.0.28:6892 udp
N/A 192.168.0.29:6892 udp
N/A 192.168.0.30:6892 udp
N/A 192.168.0.31:6892 udp
LT 194.165.16.0:6892 udp
LT 194.165.16.1:6892 udp
LT 194.165.16.2:6892 udp
LT 194.165.16.3:6892 udp
LT 194.165.16.4:6892 udp
LT 194.165.16.5:6892 udp
LT 194.165.16.6:6892 udp
LT 194.165.16.7:6892 udp
LT 194.165.16.8:6892 udp
LT 194.165.16.9:6892 udp
LT 194.165.16.10:6892 udp
LT 194.165.16.11:6892 udp
LT 194.165.16.12:6892 udp
LT 194.165.16.13:6892 udp
LT 194.165.16.14:6892 udp
LT 194.165.16.15:6892 udp
LT 194.165.16.16:6892 udp
LT 194.165.16.17:6892 udp
LT 194.165.16.18:6892 udp
LT 194.165.16.19:6892 udp
LT 194.165.16.20:6892 udp
LT 194.165.16.21:6892 udp
LT 194.165.16.22:6892 udp
LT 194.165.16.23:6892 udp
LT 194.165.16.24:6892 udp
LT 194.165.16.25:6892 udp
LT 194.165.16.26:6892 udp
LT 194.165.16.27:6892 udp
LT 194.165.16.28:6892 udp
LT 194.165.16.29:6892 udp
LT 194.165.16.30:6892 udp
LT 194.165.16.31:6892 udp
LT 194.165.16.32:6892 udp
LT 194.165.16.33:6892 udp
LT 194.165.16.34:6892 udp
LT 194.165.16.35:6892 udp
LT 194.165.16.36:6892 udp
LT 194.165.16.37:6892 udp
LT 194.165.16.38:6892 udp
LT 194.165.16.39:6892 udp
LT 194.165.16.40:6892 udp
LT 194.165.16.41:6892 udp
LT 194.165.16.42:6892 udp
LT 194.165.16.43:6892 udp
LT 194.165.16.44:6892 udp
LT 194.165.16.45:6892 udp
LT 194.165.16.46:6892 udp
LT 194.165.16.47:6892 udp
LT 194.165.16.48:6892 udp
LT 194.165.16.49:6892 udp
LT 194.165.16.50:6892 udp
LT 194.165.16.51:6892 udp
LT 194.165.16.52:6892 udp
LT 194.165.16.53:6892 udp
LT 194.165.16.54:6892 udp
LT 194.165.16.55:6892 udp
LT 194.165.16.56:6892 udp
LT 194.165.16.57:6892 udp
LT 194.165.16.58:6892 udp
LT 194.165.16.59:6892 udp
LT 194.165.16.60:6892 udp
LT 194.165.16.61:6892 udp
LT 194.165.16.62:6892 udp
LT 194.165.16.63:6892 udp
LT 194.165.16.64:6892 udp
LT 194.165.16.65:6892 udp
LT 194.165.16.66:6892 udp
LT 194.165.16.67:6892 udp
LT 194.165.16.68:6892 udp
LT 194.165.16.69:6892 udp
LT 194.165.16.70:6892 udp
LT 194.165.16.71:6892 udp
LT 194.165.16.72:6892 udp
LT 194.165.16.73:6892 udp
LT 194.165.16.74:6892 udp
LT 194.165.16.75:6892 udp
LT 194.165.16.76:6892 udp
LT 194.165.16.77:6892 udp
LT 194.165.16.78:6892 udp
LT 194.165.16.79:6892 udp
LT 194.165.16.80:6892 udp
LT 194.165.16.81:6892 udp
LT 194.165.16.82:6892 udp
LT 194.165.16.83:6892 udp
LT 194.165.16.84:6892 udp
LT 194.165.16.85:6892 udp
LT 194.165.16.86:6892 udp
LT 194.165.16.87:6892 udp
LT 194.165.16.88:6892 udp
LT 194.165.16.89:6892 udp
LT 194.165.16.90:6892 udp
LT 194.165.16.91:6892 udp
LT 194.165.16.92:6892 udp
LT 194.165.16.93:6892 udp
LT 194.165.16.94:6892 udp
LT 194.165.16.95:6892 udp
LT 194.165.16.96:6892 udp
LT 194.165.16.97:6892 udp
LT 194.165.16.98:6892 udp
LT 194.165.16.99:6892 udp
LT 194.165.16.100:6892 udp
LT 194.165.16.101:6892 udp
LT 194.165.16.102:6892 udp
LT 194.165.16.103:6892 udp
LT 194.165.16.104:6892 udp
LT 194.165.16.105:6892 udp
LT 194.165.16.106:6892 udp
LT 194.165.16.107:6892 udp
LT 194.165.16.108:6892 udp
LT 194.165.16.109:6892 udp
LT 194.165.16.110:6892 udp
LT 194.165.16.111:6892 udp
LT 194.165.16.112:6892 udp
LT 194.165.16.113:6892 udp
LT 194.165.16.114:6892 udp
LT 194.165.16.115:6892 udp
LT 194.165.16.116:6892 udp
LT 194.165.16.117:6892 udp
LT 194.165.16.118:6892 udp
LT 194.165.16.119:6892 udp
LT 194.165.16.120:6892 udp
LT 194.165.16.121:6892 udp
LT 194.165.16.122:6892 udp
LT 194.165.16.123:6892 udp
LT 194.165.16.124:6892 udp
LT 194.165.16.125:6892 udp
LT 194.165.16.126:6892 udp
LT 194.165.16.127:6892 udp
LT 194.165.16.128:6892 udp
LT 194.165.16.129:6892 udp
LT 194.165.16.130:6892 udp
LT 194.165.16.131:6892 udp
LT 194.165.16.132:6892 udp
LT 194.165.16.133:6892 udp
LT 194.165.16.134:6892 udp
LT 194.165.16.135:6892 udp
LT 194.165.16.136:6892 udp
LT 194.165.16.137:6892 udp
LT 194.165.16.138:6892 udp
LT 194.165.16.139:6892 udp
LT 194.165.16.140:6892 udp
LT 194.165.16.141:6892 udp
LT 194.165.16.142:6892 udp
LT 194.165.16.143:6892 udp
LT 194.165.16.144:6892 udp
LT 194.165.16.145:6892 udp
LT 194.165.16.146:6892 udp
LT 194.165.16.147:6892 udp
LT 194.165.16.148:6892 udp
LT 194.165.16.149:6892 udp
LT 194.165.16.150:6892 udp
LT 194.165.16.151:6892 udp
LT 194.165.16.152:6892 udp
LT 194.165.16.153:6892 udp
LT 194.165.16.154:6892 udp
LT 194.165.16.155:6892 udp
LT 194.165.16.156:6892 udp
LT 194.165.16.157:6892 udp
LT 194.165.16.158:6892 udp
LT 194.165.16.159:6892 udp
LT 194.165.16.160:6892 udp
LT 194.165.16.161:6892 udp
LT 194.165.16.162:6892 udp
LT 194.165.16.163:6892 udp
LT 194.165.16.164:6892 udp
LT 194.165.16.165:6892 udp
LT 194.165.16.166:6892 udp
LT 194.165.16.167:6892 udp
LT 194.165.16.168:6892 udp
LT 194.165.16.169:6892 udp
LT 194.165.16.170:6892 udp
LT 194.165.16.171:6892 udp
LT 194.165.16.172:6892 udp
LT 194.165.16.173:6892 udp
LT 194.165.16.174:6892 udp
LT 194.165.16.175:6892 udp
LT 194.165.16.176:6892 udp
LT 194.165.16.177:6892 udp
LT 194.165.16.178:6892 udp
LT 194.165.16.179:6892 udp
LT 194.165.16.180:6892 udp
LT 194.165.16.181:6892 udp
LT 194.165.16.182:6892 udp
LT 194.165.16.183:6892 udp
LT 194.165.16.184:6892 udp
LT 194.165.16.185:6892 udp
LT 194.165.16.186:6892 udp
LT 194.165.16.187:6892 udp
LT 194.165.16.188:6892 udp
LT 194.165.16.189:6892 udp
LT 194.165.16.190:6892 udp
LT 194.165.16.191:6892 udp
LT 194.165.16.192:6892 udp
LT 194.165.16.193:6892 udp
LT 194.165.16.194:6892 udp
LT 194.165.16.195:6892 udp
LT 194.165.16.196:6892 udp
LT 194.165.16.197:6892 udp
LT 194.165.16.198:6892 udp
LT 194.165.16.199:6892 udp
LT 194.165.16.200:6892 udp
LT 194.165.16.201:6892 udp
LT 194.165.16.202:6892 udp
LT 194.165.16.203:6892 udp
LT 194.165.16.204:6892 udp
LT 194.165.16.205:6892 udp
LT 194.165.16.206:6892 udp
LT 194.165.16.207:6892 udp
LT 194.165.16.208:6892 udp
LT 194.165.16.209:6892 udp
LT 194.165.16.210:6892 udp
LT 194.165.16.211:6892 udp
LT 194.165.16.212:6892 udp
LT 194.165.16.213:6892 udp
LT 194.165.16.214:6892 udp
LT 194.165.16.215:6892 udp
LT 194.165.16.216:6892 udp
LT 194.165.16.217:6892 udp
LT 194.165.16.218:6892 udp
LT 194.165.16.219:6892 udp
LT 194.165.16.220:6892 udp
LT 194.165.16.221:6892 udp
LT 194.165.16.222:6892 udp
LT 194.165.16.223:6892 udp
LT 194.165.16.224:6892 udp
LT 194.165.16.225:6892 udp
LT 194.165.16.226:6892 udp
LT 194.165.16.227:6892 udp
LT 194.165.16.228:6892 udp
LT 194.165.16.229:6892 udp
LT 194.165.16.230:6892 udp
LT 194.165.16.231:6892 udp
LT 194.165.16.232:6892 udp
LT 194.165.16.233:6892 udp
LT 194.165.16.234:6892 udp
LT 194.165.16.235:6892 udp
LT 194.165.16.236:6892 udp
LT 194.165.16.237:6892 udp
LT 194.165.16.238:6892 udp
LT 194.165.16.239:6892 udp
LT 194.165.16.240:6892 udp
LT 194.165.16.241:6892 udp
LT 194.165.16.242:6892 udp
LT 194.165.16.243:6892 udp
LT 194.165.16.244:6892 udp
LT 194.165.16.245:6892 udp
LT 194.165.16.246:6892 udp
LT 194.165.16.247:6892 udp
LT 194.165.16.248:6892 udp
LT 194.165.16.249:6892 udp
LT 194.165.16.250:6892 udp
LT 194.165.16.251:6892 udp
LT 194.165.16.252:6892 udp
LT 194.165.16.253:6892 udp
LT 194.165.16.254:6892 udp
N/A 127.0.0.0:6892 udp
N/A 127.0.0.1:6892 udp
N/A 127.0.0.2:6892 udp
N/A 127.0.0.3:6892 udp
N/A 127.0.0.4:6892 udp
N/A 127.0.0.5:6892 udp
N/A 127.0.0.6:6892 udp
N/A 127.0.0.7:6892 udp
N/A 127.0.0.8:6892 udp
N/A 127.0.0.9:6892 udp
N/A 127.0.0.10:6892 udp
N/A 127.0.0.11:6892 udp
N/A 127.0.0.12:6892 udp
N/A 127.0.0.13:6892 udp
N/A 127.0.0.14:6892 udp
N/A 127.0.0.15:6892 udp
N/A 127.0.0.16:6892 udp
N/A 127.0.0.17:6892 udp
N/A 127.0.0.18:6892 udp
N/A 127.0.0.19:6892 udp
N/A 127.0.0.20:6892 udp
N/A 127.0.0.21:6892 udp
N/A 127.0.0.22:6892 udp
N/A 127.0.0.23:6892 udp
N/A 127.0.0.24:6892 udp
N/A 127.0.0.25:6892 udp
N/A 127.0.0.26:6892 udp
N/A 127.0.0.27:6892 udp
N/A 127.0.0.28:6892 udp
N/A 127.0.0.29:6892 udp
N/A 127.0.0.30:6892 udp
N/A 127.0.0.31:6892 udp
LT 194.165.16.255:6892 udp
LT 194.165.17.0:6892 udp
LT 194.165.17.1:6892 udp
LT 194.165.17.2:6892 udp
LT 194.165.17.3:6892 udp
LT 194.165.17.4:6892 udp
LT 194.165.17.5:6892 udp
LT 194.165.17.6:6892 udp
LT 194.165.17.7:6892 udp
LT 194.165.17.8:6892 udp
LT 194.165.17.9:6892 udp
LT 194.165.17.10:6892 udp
LT 194.165.17.11:6892 udp
LT 194.165.17.12:6892 udp
LT 194.165.17.13:6892 udp
LT 194.165.17.14:6892 udp
LT 194.165.17.15:6892 udp
LT 194.165.17.16:6892 udp
LT 194.165.17.17:6892 udp
LT 194.165.17.18:6892 udp
LT 194.165.17.19:6892 udp
LT 194.165.17.20:6892 udp
LT 194.165.17.21:6892 udp
LT 194.165.17.22:6892 udp
LT 194.165.17.23:6892 udp
LT 194.165.17.24:6892 udp
LT 194.165.17.25:6892 udp
LT 194.165.17.26:6892 udp
LT 194.165.17.27:6892 udp
LT 194.165.17.28:6892 udp
LT 194.165.17.29:6892 udp
LT 194.165.17.30:6892 udp
LT 194.165.17.31:6892 udp
LT 194.165.17.32:6892 udp
LT 194.165.17.33:6892 udp
LT 194.165.17.34:6892 udp
LT 194.165.17.35:6892 udp
LT 194.165.17.36:6892 udp
LT 194.165.17.37:6892 udp
LT 194.165.17.38:6892 udp
LT 194.165.17.39:6892 udp
LT 194.165.17.40:6892 udp
LT 194.165.17.41:6892 udp
LT 194.165.17.42:6892 udp
LT 194.165.17.43:6892 udp
LT 194.165.17.44:6892 udp
LT 194.165.17.45:6892 udp
LT 194.165.17.46:6892 udp
LT 194.165.17.47:6892 udp
LT 194.165.17.48:6892 udp
LT 194.165.17.49:6892 udp
LT 194.165.17.50:6892 udp
LT 194.165.17.51:6892 udp
LT 194.165.17.52:6892 udp
LT 194.165.17.53:6892 udp
LT 194.165.17.54:6892 udp
LT 194.165.17.55:6892 udp
LT 194.165.17.56:6892 udp
LT 194.165.17.57:6892 udp
LT 194.165.17.58:6892 udp
LT 194.165.17.59:6892 udp
LT 194.165.17.60:6892 udp
LT 194.165.17.61:6892 udp
LT 194.165.17.62:6892 udp
LT 194.165.17.63:6892 udp
LT 194.165.17.64:6892 udp
LT 194.165.17.65:6892 udp
LT 194.165.17.66:6892 udp
LT 194.165.17.67:6892 udp
LT 194.165.17.68:6892 udp
LT 194.165.17.69:6892 udp
LT 194.165.17.70:6892 udp
LT 194.165.17.71:6892 udp
LT 194.165.17.72:6892 udp
LT 194.165.17.73:6892 udp
LT 194.165.17.74:6892 udp
LT 194.165.17.75:6892 udp
LT 194.165.17.76:6892 udp
LT 194.165.17.77:6892 udp
LT 194.165.17.78:6892 udp
LT 194.165.17.79:6892 udp
LT 194.165.17.80:6892 udp
LT 194.165.17.81:6892 udp
LT 194.165.17.82:6892 udp
LT 194.165.17.83:6892 udp
LT 194.165.17.84:6892 udp
LT 194.165.17.85:6892 udp
LT 194.165.17.86:6892 udp
LT 194.165.17.87:6892 udp
LT 194.165.17.88:6892 udp
LT 194.165.17.89:6892 udp
LT 194.165.17.90:6892 udp
LT 194.165.17.91:6892 udp
LT 194.165.17.92:6892 udp
LT 194.165.17.93:6892 udp
LT 194.165.17.94:6892 udp
LT 194.165.17.95:6892 udp
LT 194.165.17.96:6892 udp
LT 194.165.17.97:6892 udp
LT 194.165.17.98:6892 udp
LT 194.165.17.99:6892 udp
LT 194.165.17.100:6892 udp
LT 194.165.17.101:6892 udp
LT 194.165.17.102:6892 udp
LT 194.165.17.103:6892 udp
LT 194.165.17.104:6892 udp
LT 194.165.17.105:6892 udp
LT 194.165.17.106:6892 udp
LT 194.165.17.107:6892 udp
LT 194.165.17.108:6892 udp
LT 194.165.17.109:6892 udp
LT 194.165.17.110:6892 udp
LT 194.165.17.111:6892 udp
LT 194.165.17.112:6892 udp
LT 194.165.17.113:6892 udp
LT 194.165.17.114:6892 udp
LT 194.165.17.115:6892 udp
LT 194.165.17.116:6892 udp
LT 194.165.17.117:6892 udp
LT 194.165.17.118:6892 udp
LT 194.165.17.119:6892 udp
LT 194.165.17.120:6892 udp
LT 194.165.17.121:6892 udp
LT 194.165.17.122:6892 udp
LT 194.165.17.123:6892 udp
LT 194.165.17.124:6892 udp
LT 194.165.17.125:6892 udp
LT 194.165.17.126:6892 udp
LT 194.165.17.127:6892 udp
LT 194.165.17.128:6892 udp
LT 194.165.17.129:6892 udp
LT 194.165.17.130:6892 udp
LT 194.165.17.131:6892 udp
LT 194.165.17.132:6892 udp
LT 194.165.17.133:6892 udp
LT 194.165.17.134:6892 udp
LT 194.165.17.135:6892 udp
LT 194.165.17.136:6892 udp
LT 194.165.17.137:6892 udp
LT 194.165.17.138:6892 udp
LT 194.165.17.139:6892 udp
LT 194.165.17.140:6892 udp
LT 194.165.17.141:6892 udp
LT 194.165.17.142:6892 udp
LT 194.165.17.143:6892 udp
LT 194.165.17.144:6892 udp
LT 194.165.17.145:6892 udp
LT 194.165.17.146:6892 udp
LT 194.165.17.147:6892 udp
LT 194.165.17.148:6892 udp
LT 194.165.17.149:6892 udp
LT 194.165.17.150:6892 udp
LT 194.165.17.151:6892 udp
LT 194.165.17.152:6892 udp
LT 194.165.17.153:6892 udp
LT 194.165.17.154:6892 udp
LT 194.165.17.155:6892 udp
LT 194.165.17.156:6892 udp
LT 194.165.17.157:6892 udp
LT 194.165.17.158:6892 udp
LT 194.165.17.159:6892 udp
LT 194.165.17.160:6892 udp
LT 194.165.17.161:6892 udp
LT 194.165.17.162:6892 udp
LT 194.165.17.163:6892 udp
LT 194.165.17.164:6892 udp
LT 194.165.17.165:6892 udp
LT 194.165.17.166:6892 udp
LT 194.165.17.167:6892 udp
LT 194.165.17.168:6892 udp
LT 194.165.17.169:6892 udp
LT 194.165.17.170:6892 udp
LT 194.165.17.171:6892 udp
LT 194.165.17.172:6892 udp
LT 194.165.17.173:6892 udp
LT 194.165.17.174:6892 udp
LT 194.165.17.175:6892 udp
LT 194.165.17.176:6892 udp
LT 194.165.17.177:6892 udp
LT 194.165.17.178:6892 udp
LT 194.165.17.179:6892 udp
LT 194.165.17.180:6892 udp
LT 194.165.17.181:6892 udp
LT 194.165.17.182:6892 udp
LT 194.165.17.183:6892 udp
LT 194.165.17.184:6892 udp
LT 194.165.17.185:6892 udp
LT 194.165.17.186:6892 udp
LT 194.165.17.187:6892 udp
LT 194.165.17.188:6892 udp
LT 194.165.17.189:6892 udp
LT 194.165.17.190:6892 udp
LT 194.165.17.191:6892 udp
LT 194.165.17.192:6892 udp
LT 194.165.17.193:6892 udp
LT 194.165.17.194:6892 udp
LT 194.165.17.195:6892 udp
LT 194.165.17.196:6892 udp
LT 194.165.17.197:6892 udp
LT 194.165.17.198:6892 udp
LT 194.165.17.199:6892 udp
LT 194.165.17.200:6892 udp
LT 194.165.17.201:6892 udp
LT 194.165.17.202:6892 udp
LT 194.165.17.203:6892 udp
LT 194.165.17.204:6892 udp
LT 194.165.17.205:6892 udp
LT 194.165.17.206:6892 udp
LT 194.165.17.207:6892 udp
LT 194.165.17.208:6892 udp
LT 194.165.17.209:6892 udp
LT 194.165.17.210:6892 udp
LT 194.165.17.211:6892 udp
LT 194.165.17.212:6892 udp
LT 194.165.17.213:6892 udp
LT 194.165.17.214:6892 udp
LT 194.165.17.215:6892 udp
LT 194.165.17.216:6892 udp
LT 194.165.17.217:6892 udp
LT 194.165.17.218:6892 udp
LT 194.165.17.219:6892 udp
LT 194.165.17.220:6892 udp
LT 194.165.17.221:6892 udp
LT 194.165.17.222:6892 udp
LT 194.165.17.223:6892 udp
LT 194.165.17.224:6892 udp
LT 194.165.17.225:6892 udp
LT 194.165.17.226:6892 udp
LT 194.165.17.227:6892 udp
LT 194.165.17.228:6892 udp
LT 194.165.17.229:6892 udp
LT 194.165.17.230:6892 udp
LT 194.165.17.231:6892 udp
LT 194.165.17.232:6892 udp
LT 194.165.17.233:6892 udp
LT 194.165.17.234:6892 udp
LT 194.165.17.235:6892 udp
LT 194.165.17.236:6892 udp
LT 194.165.17.237:6892 udp
LT 194.165.17.238:6892 udp
LT 194.165.17.239:6892 udp
LT 194.165.17.240:6892 udp
LT 194.165.17.241:6892 udp
LT 194.165.17.242:6892 udp
LT 194.165.17.243:6892 udp
LT 194.165.17.244:6892 udp
LT 194.165.17.245:6892 udp
LT 194.165.17.246:6892 udp
LT 194.165.17.247:6892 udp
LT 194.165.17.248:6892 udp
LT 194.165.17.249:6892 udp
LT 194.165.17.250:6892 udp
LT 194.165.17.251:6892 udp
LT 194.165.17.252:6892 udp
LT 194.165.17.253:6892 udp
LT 194.165.17.254:6892 udp
LT 194.165.17.255:6892 udp
N/A 127.0.0.0:6892 udp
N/A 127.0.0.1:6892 udp
N/A 127.0.0.2:6892 udp
N/A 127.0.0.3:6892 udp
N/A 127.0.0.4:6892 udp
N/A 127.0.0.5:6892 udp
N/A 127.0.0.6:6892 udp
N/A 127.0.0.7:6892 udp
N/A 127.0.0.8:6892 udp
N/A 127.0.0.9:6892 udp
N/A 127.0.0.10:6892 udp
N/A 127.0.0.11:6892 udp
N/A 127.0.0.12:6892 udp
N/A 127.0.0.13:6892 udp
N/A 127.0.0.14:6892 udp
N/A 127.0.0.15:6892 udp
N/A 127.0.0.16:6892 udp
N/A 127.0.0.17:6892 udp
N/A 127.0.0.18:6892 udp
N/A 127.0.0.19:6892 udp
N/A 127.0.0.20:6892 udp
N/A 127.0.0.21:6892 udp
N/A 127.0.0.22:6892 udp
N/A 127.0.0.23:6892 udp
N/A 127.0.0.24:6892 udp
N/A 127.0.0.25:6892 udp
N/A 127.0.0.26:6892 udp
N/A 127.0.0.27:6892 udp
N/A 127.0.0.28:6892 udp
N/A 127.0.0.29:6892 udp
N/A 127.0.0.30:6892 udp
N/A 127.0.0.31:6892 udp
N/A 192.168.0.0:6892 udp
N/A 192.168.0.1:6892 udp
N/A 192.168.0.2:6892 udp
N/A 192.168.0.3:6892 udp
N/A 192.168.0.4:6892 udp
N/A 192.168.0.5:6892 udp
N/A 192.168.0.6:6892 udp
N/A 192.168.0.7:6892 udp
N/A 192.168.0.8:6892 udp
N/A 192.168.0.9:6892 udp
N/A 192.168.0.10:6892 udp
N/A 192.168.0.11:6892 udp
N/A 192.168.0.12:6892 udp
N/A 192.168.0.13:6892 udp
N/A 192.168.0.14:6892 udp
N/A 192.168.0.15:6892 udp
N/A 192.168.0.16:6892 udp
N/A 192.168.0.17:6892 udp
N/A 192.168.0.18:6892 udp
N/A 192.168.0.19:6892 udp
N/A 192.168.0.20:6892 udp
N/A 192.168.0.21:6892 udp
N/A 192.168.0.22:6892 udp
N/A 192.168.0.23:6892 udp
N/A 192.168.0.24:6892 udp
N/A 192.168.0.25:6892 udp
N/A 192.168.0.26:6892 udp
N/A 192.168.0.27:6892 udp
N/A 192.168.0.28:6892 udp
N/A 192.168.0.29:6892 udp
N/A 192.168.0.30:6892 udp
N/A 192.168.0.31:6892 udp
LT 194.165.16.0:6892 udp
LT 194.165.16.1:6892 udp
LT 194.165.16.2:6892 udp
LT 194.165.16.3:6892 udp
LT 194.165.16.4:6892 udp
LT 194.165.16.5:6892 udp
LT 194.165.16.6:6892 udp
LT 194.165.16.7:6892 udp
LT 194.165.16.8:6892 udp
LT 194.165.16.9:6892 udp
LT 194.165.16.10:6892 udp
LT 194.165.16.11:6892 udp
LT 194.165.16.12:6892 udp
LT 194.165.16.13:6892 udp
LT 194.165.16.14:6892 udp
LT 194.165.16.15:6892 udp
LT 194.165.16.16:6892 udp
LT 194.165.16.17:6892 udp
LT 194.165.16.18:6892 udp
LT 194.165.16.19:6892 udp
LT 194.165.16.20:6892 udp
LT 194.165.16.21:6892 udp
LT 194.165.16.22:6892 udp
LT 194.165.16.23:6892 udp
LT 194.165.16.24:6892 udp
LT 194.165.16.25:6892 udp
LT 194.165.16.26:6892 udp
LT 194.165.16.27:6892 udp
LT 194.165.16.28:6892 udp
LT 194.165.16.29:6892 udp
LT 194.165.16.30:6892 udp
LT 194.165.16.31:6892 udp
LT 194.165.16.32:6892 udp
LT 194.165.16.33:6892 udp
LT 194.165.16.34:6892 udp
LT 194.165.16.35:6892 udp
LT 194.165.16.36:6892 udp
LT 194.165.16.37:6892 udp
LT 194.165.16.38:6892 udp
LT 194.165.16.39:6892 udp
LT 194.165.16.40:6892 udp
LT 194.165.16.41:6892 udp
LT 194.165.16.42:6892 udp
LT 194.165.16.43:6892 udp
LT 194.165.16.44:6892 udp
LT 194.165.16.45:6892 udp
LT 194.165.16.46:6892 udp
LT 194.165.16.47:6892 udp
LT 194.165.16.48:6892 udp
LT 194.165.16.49:6892 udp
LT 194.165.16.50:6892 udp
LT 194.165.16.51:6892 udp
LT 194.165.16.52:6892 udp
LT 194.165.16.53:6892 udp
LT 194.165.16.54:6892 udp
LT 194.165.16.55:6892 udp
LT 194.165.16.56:6892 udp
LT 194.165.16.57:6892 udp
LT 194.165.16.58:6892 udp
LT 194.165.16.59:6892 udp
LT 194.165.16.60:6892 udp
LT 194.165.16.61:6892 udp
LT 194.165.16.62:6892 udp
LT 194.165.16.63:6892 udp
LT 194.165.16.64:6892 udp
LT 194.165.16.65:6892 udp
LT 194.165.16.66:6892 udp
LT 194.165.16.67:6892 udp
LT 194.165.16.68:6892 udp
LT 194.165.16.69:6892 udp
LT 194.165.16.70:6892 udp
LT 194.165.16.71:6892 udp
LT 194.165.16.72:6892 udp
LT 194.165.16.73:6892 udp
LT 194.165.16.74:6892 udp
LT 194.165.16.75:6892 udp
LT 194.165.16.76:6892 udp
LT 194.165.16.77:6892 udp
LT 194.165.16.78:6892 udp
LT 194.165.16.79:6892 udp
LT 194.165.16.80:6892 udp
LT 194.165.16.81:6892 udp
LT 194.165.16.82:6892 udp
LT 194.165.16.83:6892 udp
LT 194.165.16.84:6892 udp
LT 194.165.16.85:6892 udp
LT 194.165.16.86:6892 udp
LT 194.165.16.87:6892 udp
LT 194.165.16.88:6892 udp
LT 194.165.16.89:6892 udp
LT 194.165.16.90:6892 udp
LT 194.165.16.91:6892 udp
LT 194.165.16.92:6892 udp
LT 194.165.16.93:6892 udp
LT 194.165.16.94:6892 udp
LT 194.165.16.95:6892 udp
LT 194.165.16.96:6892 udp
LT 194.165.16.97:6892 udp
LT 194.165.16.98:6892 udp
LT 194.165.16.99:6892 udp
LT 194.165.16.100:6892 udp
LT 194.165.16.101:6892 udp
LT 194.165.16.102:6892 udp
LT 194.165.16.103:6892 udp
LT 194.165.16.104:6892 udp
LT 194.165.16.105:6892 udp
LT 194.165.16.106:6892 udp
LT 194.165.16.107:6892 udp
LT 194.165.16.108:6892 udp
LT 194.165.16.109:6892 udp
LT 194.165.16.110:6892 udp
LT 194.165.16.111:6892 udp
LT 194.165.16.112:6892 udp
LT 194.165.16.113:6892 udp
LT 194.165.16.114:6892 udp
LT 194.165.16.115:6892 udp
LT 194.165.16.116:6892 udp
LT 194.165.16.117:6892 udp
LT 194.165.16.118:6892 udp
LT 194.165.16.119:6892 udp
LT 194.165.16.120:6892 udp
LT 194.165.16.121:6892 udp
LT 194.165.16.122:6892 udp
LT 194.165.16.123:6892 udp
LT 194.165.16.124:6892 udp
LT 194.165.16.125:6892 udp
LT 194.165.16.126:6892 udp
LT 194.165.16.127:6892 udp
LT 194.165.16.128:6892 udp
LT 194.165.16.129:6892 udp
LT 194.165.16.130:6892 udp
LT 194.165.16.131:6892 udp
LT 194.165.16.132:6892 udp
LT 194.165.16.133:6892 udp
LT 194.165.16.134:6892 udp
LT 194.165.16.135:6892 udp
LT 194.165.16.136:6892 udp
LT 194.165.16.137:6892 udp
LT 194.165.16.138:6892 udp
LT 194.165.16.139:6892 udp
LT 194.165.16.140:6892 udp
LT 194.165.16.141:6892 udp
LT 194.165.16.142:6892 udp
LT 194.165.16.143:6892 udp
LT 194.165.16.144:6892 udp
LT 194.165.16.145:6892 udp
LT 194.165.16.146:6892 udp
LT 194.165.16.147:6892 udp
LT 194.165.16.148:6892 udp
LT 194.165.16.149:6892 udp
LT 194.165.16.150:6892 udp
LT 194.165.16.151:6892 udp
LT 194.165.16.152:6892 udp
LT 194.165.16.153:6892 udp
LT 194.165.16.154:6892 udp
LT 194.165.16.155:6892 udp
LT 194.165.16.156:6892 udp
LT 194.165.16.157:6892 udp
LT 194.165.16.158:6892 udp
LT 194.165.16.159:6892 udp
LT 194.165.16.160:6892 udp
LT 194.165.16.161:6892 udp
LT 194.165.16.162:6892 udp
LT 194.165.16.163:6892 udp
LT 194.165.16.164:6892 udp
LT 194.165.16.165:6892 udp
LT 194.165.16.166:6892 udp
LT 194.165.16.167:6892 udp
LT 194.165.16.168:6892 udp
LT 194.165.16.169:6892 udp
LT 194.165.16.170:6892 udp
LT 194.165.16.171:6892 udp
LT 194.165.16.172:6892 udp
LT 194.165.16.173:6892 udp
LT 194.165.16.174:6892 udp
LT 194.165.16.175:6892 udp
LT 194.165.16.176:6892 udp
LT 194.165.16.177:6892 udp
LT 194.165.16.178:6892 udp
LT 194.165.16.179:6892 udp
LT 194.165.16.180:6892 udp
LT 194.165.16.181:6892 udp
LT 194.165.16.182:6892 udp
LT 194.165.16.183:6892 udp
LT 194.165.16.184:6892 udp
LT 194.165.16.185:6892 udp
LT 194.165.16.186:6892 udp
LT 194.165.16.187:6892 udp
LT 194.165.16.188:6892 udp
LT 194.165.16.189:6892 udp
LT 194.165.16.190:6892 udp
LT 194.165.16.191:6892 udp
LT 194.165.16.192:6892 udp
LT 194.165.16.193:6892 udp
LT 194.165.16.194:6892 udp
LT 194.165.16.195:6892 udp
LT 194.165.16.196:6892 udp
LT 194.165.16.197:6892 udp
LT 194.165.16.198:6892 udp
LT 194.165.16.199:6892 udp
LT 194.165.16.200:6892 udp
LT 194.165.16.201:6892 udp
LT 194.165.16.202:6892 udp
LT 194.165.16.203:6892 udp
LT 194.165.16.204:6892 udp
LT 194.165.16.205:6892 udp
LT 194.165.16.206:6892 udp
LT 194.165.16.207:6892 udp
LT 194.165.16.208:6892 udp
LT 194.165.16.209:6892 udp
LT 194.165.16.210:6892 udp
LT 194.165.16.211:6892 udp
LT 194.165.16.212:6892 udp
LT 194.165.16.213:6892 udp
LT 194.165.16.214:6892 udp
LT 194.165.16.215:6892 udp
LT 194.165.16.216:6892 udp
LT 194.165.16.217:6892 udp
LT 194.165.16.218:6892 udp
LT 194.165.16.219:6892 udp
LT 194.165.16.220:6892 udp
LT 194.165.16.221:6892 udp
LT 194.165.16.222:6892 udp
LT 194.165.16.223:6892 udp
LT 194.165.16.224:6892 udp
LT 194.165.16.225:6892 udp
LT 194.165.16.226:6892 udp
LT 194.165.16.227:6892 udp
LT 194.165.16.228:6892 udp
LT 194.165.16.229:6892 udp
LT 194.165.16.230:6892 udp
LT 194.165.16.231:6892 udp
LT 194.165.16.232:6892 udp
LT 194.165.16.233:6892 udp
LT 194.165.16.234:6892 udp
LT 194.165.16.235:6892 udp
LT 194.165.16.236:6892 udp
LT 194.165.16.237:6892 udp
LT 194.165.16.238:6892 udp
LT 194.165.16.239:6892 udp
LT 194.165.16.240:6892 udp
LT 194.165.16.241:6892 udp
LT 194.165.16.242:6892 udp
LT 194.165.16.243:6892 udp
LT 194.165.16.244:6892 udp
LT 194.165.16.245:6892 udp
LT 194.165.16.246:6892 udp
LT 194.165.16.247:6892 udp
LT 194.165.16.248:6892 udp
LT 194.165.16.249:6892 udp
LT 194.165.16.250:6892 udp
LT 194.165.16.251:6892 udp
LT 194.165.16.252:6892 udp
LT 194.165.16.253:6892 udp
LT 194.165.16.254:6892 udp
LT 194.165.16.255:6892 udp
LT 194.165.17.0:6892 udp
LT 194.165.17.1:6892 udp
LT 194.165.17.2:6892 udp
LT 194.165.17.3:6892 udp
LT 194.165.17.4:6892 udp
LT 194.165.17.5:6892 udp
LT 194.165.17.6:6892 udp
LT 194.165.17.7:6892 udp
LT 194.165.17.8:6892 udp
LT 194.165.17.9:6892 udp
LT 194.165.17.10:6892 udp
LT 194.165.17.11:6892 udp
LT 194.165.17.12:6892 udp
LT 194.165.17.13:6892 udp
LT 194.165.17.14:6892 udp
LT 194.165.17.15:6892 udp
LT 194.165.17.16:6892 udp
LT 194.165.17.17:6892 udp
LT 194.165.17.18:6892 udp
LT 194.165.17.19:6892 udp
LT 194.165.17.20:6892 udp
LT 194.165.17.21:6892 udp
LT 194.165.17.22:6892 udp
LT 194.165.17.23:6892 udp
LT 194.165.17.24:6892 udp
LT 194.165.17.25:6892 udp
LT 194.165.17.26:6892 udp
LT 194.165.17.27:6892 udp
LT 194.165.17.28:6892 udp
LT 194.165.17.29:6892 udp
LT 194.165.17.30:6892 udp
LT 194.165.17.31:6892 udp
LT 194.165.17.32:6892 udp
LT 194.165.17.33:6892 udp
LT 194.165.17.34:6892 udp
LT 194.165.17.35:6892 udp
LT 194.165.17.36:6892 udp
LT 194.165.17.37:6892 udp
LT 194.165.17.38:6892 udp
LT 194.165.17.39:6892 udp
LT 194.165.17.40:6892 udp
LT 194.165.17.41:6892 udp
LT 194.165.17.42:6892 udp
LT 194.165.17.43:6892 udp
LT 194.165.17.44:6892 udp
LT 194.165.17.45:6892 udp
LT 194.165.17.46:6892 udp
LT 194.165.17.47:6892 udp
LT 194.165.17.48:6892 udp
LT 194.165.17.49:6892 udp
LT 194.165.17.50:6892 udp
LT 194.165.17.51:6892 udp
LT 194.165.17.52:6892 udp
LT 194.165.17.53:6892 udp
LT 194.165.17.54:6892 udp
LT 194.165.17.55:6892 udp
LT 194.165.17.56:6892 udp
LT 194.165.17.57:6892 udp
LT 194.165.17.58:6892 udp
LT 194.165.17.59:6892 udp
LT 194.165.17.60:6892 udp
LT 194.165.17.61:6892 udp
LT 194.165.17.62:6892 udp
LT 194.165.17.63:6892 udp
LT 194.165.17.64:6892 udp
LT 194.165.17.65:6892 udp
LT 194.165.17.66:6892 udp
LT 194.165.17.67:6892 udp
LT 194.165.17.68:6892 udp
LT 194.165.17.69:6892 udp
LT 194.165.17.70:6892 udp
LT 194.165.17.71:6892 udp
LT 194.165.17.72:6892 udp
LT 194.165.17.73:6892 udp
LT 194.165.17.74:6892 udp
LT 194.165.17.75:6892 udp
LT 194.165.17.76:6892 udp
LT 194.165.17.77:6892 udp
LT 194.165.17.78:6892 udp
LT 194.165.17.79:6892 udp
LT 194.165.17.80:6892 udp
LT 194.165.17.81:6892 udp
LT 194.165.17.82:6892 udp
LT 194.165.17.83:6892 udp
LT 194.165.17.84:6892 udp
LT 194.165.17.85:6892 udp
LT 194.165.17.86:6892 udp
LT 194.165.17.87:6892 udp
LT 194.165.17.88:6892 udp
LT 194.165.17.89:6892 udp
LT 194.165.17.90:6892 udp
LT 194.165.17.91:6892 udp
LT 194.165.17.92:6892 udp
LT 194.165.17.93:6892 udp
LT 194.165.17.94:6892 udp
LT 194.165.17.95:6892 udp
LT 194.165.17.96:6892 udp
LT 194.165.17.97:6892 udp
LT 194.165.17.98:6892 udp
LT 194.165.17.99:6892 udp
LT 194.165.17.100:6892 udp
LT 194.165.17.101:6892 udp
LT 194.165.17.102:6892 udp
LT 194.165.17.103:6892 udp
LT 194.165.17.104:6892 udp
LT 194.165.17.105:6892 udp
LT 194.165.17.106:6892 udp
LT 194.165.17.107:6892 udp
LT 194.165.17.108:6892 udp
LT 194.165.17.109:6892 udp
LT 194.165.17.110:6892 udp
LT 194.165.17.111:6892 udp
LT 194.165.17.112:6892 udp
LT 194.165.17.113:6892 udp
LT 194.165.17.114:6892 udp
LT 194.165.17.115:6892 udp
LT 194.165.17.116:6892 udp
LT 194.165.17.117:6892 udp
LT 194.165.17.118:6892 udp
LT 194.165.17.119:6892 udp
LT 194.165.17.120:6892 udp
LT 194.165.17.121:6892 udp
LT 194.165.17.122:6892 udp
LT 194.165.17.123:6892 udp
LT 194.165.17.124:6892 udp
LT 194.165.17.125:6892 udp
LT 194.165.17.126:6892 udp
LT 194.165.17.127:6892 udp
LT 194.165.17.128:6892 udp
LT 194.165.17.129:6892 udp
LT 194.165.17.130:6892 udp
LT 194.165.17.131:6892 udp
LT 194.165.17.132:6892 udp
LT 194.165.17.133:6892 udp
LT 194.165.17.134:6892 udp
LT 194.165.17.135:6892 udp
LT 194.165.17.136:6892 udp
LT 194.165.17.137:6892 udp
LT 194.165.17.138:6892 udp
LT 194.165.17.139:6892 udp
LT 194.165.17.140:6892 udp
LT 194.165.17.141:6892 udp
LT 194.165.17.142:6892 udp
LT 194.165.17.143:6892 udp
LT 194.165.17.144:6892 udp
LT 194.165.17.145:6892 udp
LT 194.165.17.146:6892 udp
LT 194.165.17.147:6892 udp
LT 194.165.17.148:6892 udp
LT 194.165.17.149:6892 udp
LT 194.165.17.150:6892 udp
LT 194.165.17.151:6892 udp
LT 194.165.17.152:6892 udp
LT 194.165.17.153:6892 udp
LT 194.165.17.154:6892 udp
LT 194.165.17.155:6892 udp
LT 194.165.17.156:6892 udp
LT 194.165.17.157:6892 udp
LT 194.165.17.158:6892 udp
LT 194.165.17.159:6892 udp
LT 194.165.17.160:6892 udp
LT 194.165.17.161:6892 udp
LT 194.165.17.162:6892 udp
LT 194.165.17.163:6892 udp
LT 194.165.17.164:6892 udp
LT 194.165.17.165:6892 udp
LT 194.165.17.166:6892 udp
LT 194.165.17.167:6892 udp
LT 194.165.17.168:6892 udp
LT 194.165.17.169:6892 udp
LT 194.165.17.170:6892 udp
LT 194.165.17.171:6892 udp
LT 194.165.17.172:6892 udp
LT 194.165.17.173:6892 udp
LT 194.165.17.174:6892 udp
LT 194.165.17.175:6892 udp
LT 194.165.17.176:6892 udp
LT 194.165.17.177:6892 udp
LT 194.165.17.178:6892 udp
LT 194.165.17.179:6892 udp
LT 194.165.17.180:6892 udp
LT 194.165.17.181:6892 udp
LT 194.165.17.182:6892 udp
LT 194.165.17.183:6892 udp
LT 194.165.17.184:6892 udp
LT 194.165.17.185:6892 udp
LT 194.165.17.186:6892 udp
LT 194.165.17.187:6892 udp
LT 194.165.17.188:6892 udp
LT 194.165.17.189:6892 udp
LT 194.165.17.190:6892 udp
LT 194.165.17.191:6892 udp
LT 194.165.17.192:6892 udp
LT 194.165.17.193:6892 udp
LT 194.165.17.194:6892 udp
LT 194.165.17.195:6892 udp
LT 194.165.17.196:6892 udp
LT 194.165.17.197:6892 udp
LT 194.165.17.198:6892 udp
LT 194.165.17.199:6892 udp
LT 194.165.17.200:6892 udp
LT 194.165.17.201:6892 udp
LT 194.165.17.202:6892 udp
LT 194.165.17.203:6892 udp
LT 194.165.17.204:6892 udp
LT 194.165.17.205:6892 udp
LT 194.165.17.206:6892 udp
LT 194.165.17.207:6892 udp
LT 194.165.17.208:6892 udp
LT 194.165.17.209:6892 udp
LT 194.165.17.210:6892 udp
LT 194.165.17.211:6892 udp
LT 194.165.17.212:6892 udp
LT 194.165.17.213:6892 udp
LT 194.165.17.214:6892 udp
LT 194.165.17.215:6892 udp
LT 194.165.17.216:6892 udp
LT 194.165.17.217:6892 udp
LT 194.165.17.218:6892 udp
LT 194.165.17.219:6892 udp
LT 194.165.17.220:6892 udp
LT 194.165.17.221:6892 udp
LT 194.165.17.222:6892 udp
LT 194.165.17.223:6892 udp
LT 194.165.17.224:6892 udp
LT 194.165.17.225:6892 udp
LT 194.165.17.226:6892 udp
LT 194.165.17.227:6892 udp
LT 194.165.17.228:6892 udp
LT 194.165.17.229:6892 udp
LT 194.165.17.230:6892 udp
LT 194.165.17.231:6892 udp
LT 194.165.17.232:6892 udp
LT 194.165.17.233:6892 udp
LT 194.165.17.234:6892 udp
LT 194.165.17.235:6892 udp
LT 194.165.17.236:6892 udp
LT 194.165.17.237:6892 udp
LT 194.165.17.238:6892 udp
LT 194.165.17.239:6892 udp
LT 194.165.17.240:6892 udp
LT 194.165.17.241:6892 udp
LT 194.165.17.242:6892 udp
LT 194.165.17.243:6892 udp
LT 194.165.17.244:6892 udp
LT 194.165.17.245:6892 udp
LT 194.165.17.246:6892 udp
LT 194.165.17.247:6892 udp
LT 194.165.17.248:6892 udp
LT 194.165.17.249:6892 udp
LT 194.165.17.250:6892 udp
LT 194.165.17.251:6892 udp
LT 194.165.17.252:6892 udp
LT 194.165.17.253:6892 udp
LT 194.165.17.254:6892 udp
LT 194.165.17.255:6892 udp
US 8.8.8.8:53 avsxrcoq2q5fgrw2.s611js.top udp
US 8.8.8.8:53 btc.blockr.io udp
US 8.8.8.8:53 api.blockcypher.com udp
US 172.67.17.223:80 api.blockcypher.com tcp
US 8.8.8.8:53 chain.so udp
US 104.22.64.108:443 chain.so tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp

Files

\Users\Admin\AppData\Local\Temp\nstAAC.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

memory/2392-11-0x00000000025E0000-0x000000000260D000-memory.dmp

memory/1644-13-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1644-15-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1644-16-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1644-21-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1644-22-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2392-24-0x00000000025E0000-0x000000000260D000-memory.dmp

memory/1644-25-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1644-26-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1644-27-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\Pictures\_README_.hta

MD5 748b0f07eb2f0d1f799d38054824d064
SHA1 16c21023ccdb0779cc69a58bacec8414d25704a4
SHA256 9efc7c5891a0dd82e359127c9e11fe11666ed31e480adf8e52c6e7864eb47d99
SHA512 ac99f6c44f9c839b9bafd34c9a863a34065b0b7a41deb3933949fe1853129fde0d03d36157e7fb24ffc51a979a90881b144dba90986ee2b37a822b588414fd48

memory/1644-240-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1644-247-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1644-259-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win7-20240508-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 244

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 29f0f324b768eb010d87a47e027b3e70
SHA1 419be293b9ff59e114fb55d8e8701f78066e053b
SHA256 35c51add1ca10d624e871df527af21055af029c7e2e4746bb239096af52dc238
SHA512 589fb83f929608b71aa87080ff4a7f206b605c329b3eb082676fc75dff6617698e192a785107a4bce6bf6b9d4abc3a7d4bd7715fd991570b8ad04778e71a6114

\Users\Admin\AppData\Local\Temp\nsy2C01.tmp\UserInfo.dll

MD5 b98f45a83c1d09132e1e4ada1387a6f8
SHA1 9f0a343ec5060b269d36fe1045cff14185f15d1b
SHA256 23661a4b1f3d6744fcdd1b2379e5e602e6cf6bd5950b2d19b844527b2f626e99
SHA512 cb446acd93c4dd79e81b920075a7055140b27d3e83b43ad899736a0d37e709974b27c5340a4b864e3b41714523dd4daee07b506a2c40b36f9b9d05fdd5cc2612

\Users\Admin\AppData\Local\Temp\nsy2C01.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win7-20240419-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 224

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win7-20240508-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 224

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2796 wrote to memory of 2840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2796 wrote to memory of 2840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2840 -ip 2840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:35

Platform

win10v2004-20240508-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\jqueryValidatorI18n.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\jqueryValidatorI18n.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.213.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win7-20240221-en

Max time kernel

117s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 228

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 3416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1604 wrote to memory of 3416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1604 wrote to memory of 3416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\_class.noobSlide.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\_class.noobSlide.js

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

132s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\_class.noobSlide.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\_class.noobSlide.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2860,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e411c2df17b88a85174574c5cdb51da_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3236 -ip 3236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 920

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

memory/3236-10-0x0000000002700000-0x000000000272D000-memory.dmp

memory/3236-12-0x0000000002700000-0x000000000272D000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-17 03:35

Reported

2024-05-17 03:37

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 972 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 972 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 972 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2448 -ip 2448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

N/A