Malware Analysis Report

2024-09-22 14:27

Sample ID 240530-mncc1sfd24
Target 83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118
SHA256 470d82dec3c67b3d319ac7774f4276de82a5c853c8c39bb626df0fe81d6a1859
Tags
cerber defense_evasion discovery execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

470d82dec3c67b3d319ac7774f4276de82a5c853c8c39bb626df0fe81d6a1859

Threat Level: Known bad

The file 83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cerber defense_evasion discovery execution impact ransomware spyware stealer

Cerber

Deletes shadow copies

Blocklisted process makes network request

Contacts a large (517) amount of remote hosts

Deletes itself

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Runs ping.exe

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-30 10:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-30 10:36

Reported

2024-05-30 10:38

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3136 wrote to memory of 4764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3136 wrote to memory of 4764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3136 wrote to memory of 4764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4764 -ip 4764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-30 10:36

Reported

2024-05-30 10:38

Platform

win10v2004-20240426-en

Max time kernel

115s

Max time network

116s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3888 wrote to memory of 3904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3888 wrote to memory of 3904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3888 wrote to memory of 3904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3904 -ip 3904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-30 10:36

Reported

2024-05-30 10:38

Platform

win10v2004-20240426-en

Max time kernel

94s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 8fa298cda497c00f7fc3f66c5b833c18
SHA1 5ec6abbd95d5e6e11a88bf58da75588dc62356e4
SHA256 58e900d7fd20ec0e308d68cdeb6e45de9ee0ec5b25fe5853f854cfc6c12df6fb
SHA512 3845dff86122ccb1932db0abed4daf202d750938f1a46eb971851897deb79ab055bc0c86ca9c30a61d1f201d672fc6b247650e5c3cb3511e4d62c2c8a36f1f08

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-30 10:36

Reported

2024-05-30 10:38

Platform

win7-20240221-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\store.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000932c808b3e379c43aade047b3c5a684a00000000020000000000106600000001000020000000284d67135e9603562e43a065240616df26dd1dcad2c50b6c64250dbf134ccd35000000000e80000000020000200000002a22e093201206992c9a3b86dedff98caf1a2bbffc76c4bd8e78966840b60c939000000045e7e516447ddde0680fdac3e5f52fdd32cee9e8452ce3be484a6e6b3ce1ffc723b469cc3609eff20af5f0685db40727bad26ff7bbe4f8e3f34268679184015c972cfcb81fad3751458cb5c94400cf684e5b43daf925abc8d93ceab2c251f6b646b376dd8835cc9b4a580641901173921d99975729cab55fc31b82384fa02f377c2f9abb82e4e6d528bb600c6175fbf240000000512b96c8a1fec74fe11da6c9fed117553e0183efd1e00201d3a9124edc585c0a1c7494b32bb334563406d8d3276df791fd4c5c17a8b048dfd6564759515b49e8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7240AB91-1E70-11EF-873B-52ADCDCA366E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000932c808b3e379c43aade047b3c5a684a00000000020000000000106600000001000020000000e09a597f31c51ec231c6b93f3002c47b30a9cfd84eb7b36f00e82526b6ed7d2f000000000e8000000002000020000000270177e76e14f95fa381f899315ae715f0a68ae21deb222ee0c9f13f5f93087920000000bf5347071caed12b7486f106707c5a38966970c866f1997869fc2c601fb705c84000000051bff888d18915bcf20210b8a85c2181baeb69b12949cd68446255bacedd85856495b805fe7e1d29a054a6d1b3fd65ec53a765cdccf2d74f374b42c08619bd5d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423227245" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7059ae497db2da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\store.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 rcm.amazon.com udp
US 8.8.8.8:53 www.jjtc.com udp
US 67.20.76.247:80 www.jjtc.com tcp
US 67.20.76.247:80 www.jjtc.com tcp
US 8.8.8.8:53 astore.amazon.com udp
US 176.32.98.40:80 astore.amazon.com tcp
US 176.32.98.40:80 astore.amazon.com tcp
US 8.8.8.8:53 g-ecx.images-amazon.com udp
US 67.20.76.247:443 www.jjtc.com tcp
FR 18.155.131.54:80 g-ecx.images-amazon.com tcp
FR 18.155.131.54:80 g-ecx.images-amazon.com tcp
US 67.20.76.247:443 www.jjtc.com tcp
US 67.20.76.247:443 www.jjtc.com tcp
US 67.20.76.247:443 www.jjtc.com tcp
US 8.8.8.8:53 rcm.amazon.com udp
GB 216.58.213.14:80 www.google-analytics.com tcp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab46E1.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dea6978cc672f19bd22d36e739852ded
SHA1 f3361dc979d6be95d31a2ab91e81bd040d327454
SHA256 1659e850f4fbe9a2054622b7c990f17d6b33bac71e295a7eca82d59e8c2ac683
SHA512 9406ed8216233d8aa0af4e37beda472dc3839bbf8dd7d88640b9b23a8e310c9e3520c8db65ee442bd838d7d64f642f304c609b6e1ed7d73a0156bc54bfcd47d3

C:\Users\Admin\AppData\Local\Temp\Tar47E3.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e054ba2c43f083ad8a784b0fac585189
SHA1 4aea24058568cdd317e8211ca6ae31fab35a5678
SHA256 0dd935cbc69d1aa3ffc9d2152783cb468a7dfd0d047e2e374030f42f11835f26
SHA512 319a9dd7dee7f6eb2b0442906723cadf06dc414bc0fc25aa18f9fecf534f97d3001c6ea99597c02c6fea027662b43efb56a7e487f1aacee876f905501882d4fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1c25a0eb82beff88f5683cfd76fabfa
SHA1 89adc9831eba1f7672bb24b65b46ff054dc598a9
SHA256 d7cda2dd5937b9048bbee5eebe51c74f4cf4040d1f9406210a608164c711f35b
SHA512 4a82e973704802bb66e82311e87a45f6408797420a356c4b21f918cff85f3fb600772967315d636b494c1473f3352fb7de69c2852de61fa59671d8747f662594

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd1e0e571000666aa87430fe2fa91b17
SHA1 0959d40be7ed1ead061be066681c160489a60bbe
SHA256 8b3de990714892e7c9c89b74d42c2ba1fb3499944a557cb3e1ac635737dc1fe9
SHA512 38fb29c468dfa7b4aba52d50a7b3ac6dedd1e1d8808ab4cb5ba905c1766b6a009789e3faec509c2c23ede5e6be7b84ebc618f8043f11fbeebcb9f303f2352fe6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79b2eb864ed245f0e14ed55d64870404
SHA1 b8cb7b8991e7b4e9a5473d791536ee0167211964
SHA256 633ff8fe6928b587c4f2d682d9be06ae3f734735415b923823aa0327d9f7dc07
SHA512 c9da5c8265aeec7b88f5c56c43e47d816603367ebcc000938ddd8e7322e4e62ae03218fdc3a519225e30637bd72385c666583355a4a39c6ce49888f7166cf92b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33326f99fe237d41ce221478a9a7abbe
SHA1 5dd9c9dc97b52eeb1a44fe670eeaf1ca185db909
SHA256 5085c0b95710946ab7d6e724002fc90a9143ceba15ba3d2a06447b540359d689
SHA512 69a59dc0c5b5943a51c69bdc6e203447cb6fa69bd2b831e74c301a2f4ab59a0a5cd7b8c3b14c929733f66e1ad196af11255cf811113e1f4517413ff37e513078

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0976f52e32f18026825b8cf6ebe5caf
SHA1 62218701e4e5ecf09e2b2045240508132cc722b8
SHA256 5949d2f2636717423ca98bb1ffa863535275312d87506213e82cb57f6cb6a39e
SHA512 10218d8619eb284063c18c184afcf7a898df5472f24be8ad09eef69ff674549e25ca38eac3bd2cf8159efedafec90f404ca212ea9897ecf5d0c837aecf81bd2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84a1ce9baf2d47000e8d8e9623dae778
SHA1 8dce310f5356bbde6a71c98559a48f936f4d7247
SHA256 870eb850ae2c0974d7cc342f8f10849f3e3799bfc98819811e72e804d7550e5e
SHA512 a27e211768a8b15a24848a3e43af30e9f3163aca0148c2b253cf435138ac03a883dd7dca3cd1910c4b0bf833a09678e3cbe4e460b19714045593f30009bcc3d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 263a954ebedaca3a61ccaaf2560d91ec
SHA1 2d572a85096bc10451943504bc9229771373efa7
SHA256 bed94959956c14a4b96c2c043455f27a353370fe6105593b2680518544d13524
SHA512 d2899300199a4498af79dfd3345504bec3a8e39aeadeb7ce3e7020c8d7feae45260ae071e713595cab9a1b339aba5d31c9cf5952eb4f7c1e848af1b0652248ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 398a2e71c86b8548873aa31903a5f359
SHA1 d822bf12277ac211955c679fd6937d914c21e0f5
SHA256 b8ee134dcc69ecb8aa18561a1d80f13f36a10f0123e97dad09ae1f7641e53536
SHA512 0873ffe4979f24b379f66ec056ac0bfde7503032e5d1316b2b958cc01da82d617ccc3d537737104376e8610b846fa41136a48af44f2cab972ad946e3f15536a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10ba9d3ff0a1391db826e45e28c066e5
SHA1 614022fe8d0d6150b2ae9e12f5dcb73208912b2e
SHA256 855f5a577d0fa6d858170a98d22375c7b3990014c7325108cee5b7173b8590c6
SHA512 216f625d62cea15ac9d78977b89ae99a1413f1af402f073c6f6ab431cf34fb6468cc4f7c40e60183bfcbafc85a826b9fdd46d48621cc4bc01a2a1ecea32f9992

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 562923ee03a4f46d17c4f346db280569
SHA1 7d044fcc0eaa2cc9d79fd2ad61cdad9a18ad1df0
SHA256 9f76d984886c8d28b3e4d31f831785270e9e95a84ec515ed38f83824823e7e12
SHA512 bdecb090f6df0af13063a8ba1423baf424da122956356e72caf407e5b723456cad6f4799a01898c829e2af76891df2ec528c69b421203e22c3e766053158fe49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc8308d83e619cbb4a271e4230819b35
SHA1 c45216b790dcb7bd58eea6d9895f0ec572069e6e
SHA256 146d4b0a9275e243f24fd786ab600cb61aed6b5366831ef9ebeaa91f617a92b6
SHA512 7e808e0c363610d19e6384641efcc3abc7bfc614dc296b4f27daabdef8a1c860707f16aa74e674f128a4ef0b7f24e32f00e15b3801a4abaeb12a47c049038318

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42cc4d19b1a557ed51630cf9170f4cc8
SHA1 2083b89b46da737e126dbb47747dd6a2ac309fc9
SHA256 4cf7d7adca35cfbd3e2e8042c28de639d5da6ce4bcd434f46e5c3ba6dd8955ea
SHA512 a543055a8da9ae4b32af182e3a64be40c81b85d529a568bd93cb8b65fc37660843bc6723cea428e9783a393c1b57c7b1c46c3225561aa7ef4d772195567457f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39da335edf65ec64f50ac76f26de2ee3
SHA1 ef427e9afa0422fa546ef3c4a464398274637ab0
SHA256 cc2203f0ff75b205816c242ae3710ea86a7bcdbf62fb3f6a79fc746bfe64cac9
SHA512 2b2237faf7f00b9ee1e2e7381ea0a8f7aa3e5ec53ac1a7fe344572c1f83838f7a81709459d1914743f14a1ebd3d04a2e95325657cda0bee814ee54ed41064389

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7c1f8a4c0161b8095b08a045d40d801
SHA1 8f3a07343358cb7c74a07f41a10707d5bcd66ce8
SHA256 d02f75a3acc1677ab8b844f610cbd6d56c997b979b3372272435b6ccd72209b1
SHA512 2f7043a9123dced19455dc7af888c11c695b731b79fcc7885e04268bf18a71687aedb62c3cc77c7e71730403b1cb62a79e7798cf61d2e9dc97f6f873af918cb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64242011403d26f7a0e2a9aaca6cf275
SHA1 200bd2900e08d6238f6952d538f42449e0ea075a
SHA256 470314357e79ccbb67e64af9855acc0f2c403435a0ff04e1fb22f61ab2644f08
SHA512 ff204b4e47a38406794592134356e16b7a2001ea2445fe141eb9592a4d5a3c4f1f344368bd1a92c0ce8b26fbc5d6bc4a81aef93d6fca9f9e43fa4f22e40dc445

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a53a42f976f645408c67229c5a2a190b
SHA1 18ed248bf02dddd4295c6f7d595ca87124724633
SHA256 e5e78210063f1a54d14eda633adea2ae9ab736764a6b7a7cda064c0e2034c8d8
SHA512 06af7f58cd6254983a970c2ee936c2e405554ed33b0dd191927ca5ce810d0b515a7228d536a850c45c72eec661344f281af27889c3bd9370917a04ed03ba3f5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 149d58ce9d5ec08a9cc3c01af46d45aa
SHA1 f69e0025cf1b65d93fd490711a54203e606c5f41
SHA256 4e7803a45933727817dba78703ec78cceb1faa3472e93b930a3d665352cfcef9
SHA512 7b1f8dd697cca3de06627ec35972200859381fac5c175eb0713670f9ff5d7004c496d8af8626238fd3f3c31587c66b9546af792640c3a328dcad7f508afe9642

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-30 10:36

Reported

2024-05-30 10:38

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\store.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 8 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 1580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\store.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe401546f8,0x7ffe40154708,0x7ffe40154718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,8727594493783197795,16114384887369121517,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,8727594493783197795,16114384887369121517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,8727594493783197795,16114384887369121517,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,8727594493783197795,16114384887369121517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,8727594493783197795,16114384887369121517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,8727594493783197795,16114384887369121517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,8727594493783197795,16114384887369121517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,8727594493783197795,16114384887369121517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,8727594493783197795,16114384887369121517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,8727594493783197795,16114384887369121517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,8727594493783197795,16114384887369121517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,8727594493783197795,16114384887369121517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,8727594493783197795,16114384887369121517,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1920 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 astore.amazon.com udp
US 52.46.143.153:80 astore.amazon.com tcp
US 8.8.8.8:53 rcm.amazon.com udp
US 8.8.8.8:53 www.jjtc.com udp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 67.20.76.247:80 www.jjtc.com tcp
US 8.8.8.8:53 g-ecx.images-amazon.com udp
FR 18.155.131.54:80 g-ecx.images-amazon.com tcp
US 67.20.76.247:80 www.jjtc.com tcp
US 67.20.76.247:443 www.jjtc.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 153.143.46.52.in-addr.arpa udp
US 8.8.8.8:53 54.131.155.18.in-addr.arpa udp
US 8.8.8.8:53 247.76.20.67.in-addr.arpa udp
NL 23.62.61.162:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

\??\pipe\LOCAL\crashpad_8_VURGEWJEOFJKDVNB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f4fdf3976922dff29ba17eb259b68100
SHA1 8625666d8889d22b349482f32834a15e9129aa21
SHA256 31408c76be6332627ddadf1e22ed70d92830ca8ffdc77d59a8f5cfb997a31a3b
SHA512 f042259c34b9991b938230b6aa09a79c843406dfb8cc6e589dddad665db29963223faabcf9a95375e98849ae239f831521e2f8b4b6eab2a3d4bc04304bba3d6e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d48b3f17b02649061198b5ef33989259
SHA1 3c21c8d3da4a689187cc158f87425d6c2e13e167
SHA256 5c5295752878181cefbfbad83903d46090061861432b6835f290f5306446a07e
SHA512 2483f4dea546b3116bffee9753711650025114eab335722948d68f4da63d0e44f098365ed9a0266956b1df22f8f900561dc2d86dc4a3817adef1ec8d9e27ad6f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c0215481bf32bf7964559ac96685b42e
SHA1 9894f055a7a55c81fb1792a1538dab31f5408639
SHA256 945d5aba63fc8141b6a6ffede81f8d633200fa7311119e66e264b9e33f8c9b19
SHA512 dca5a8ec4f00d64ba5531f6d57cfe2f7677602f8a3ef9a7a0721cbcc426e6a059eecd7a6bdb53c43fbe85a585d67c054c27f6214d2c4c5aeb03af401f84ef1e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f6e27ae0105ed938030a86cbb63dcf9f
SHA1 b09031c9302aae9d07e8b0e26a5e44d8282eea00
SHA256 a4d22ac691997ea027162ab50218756a92b56efd39014c15b9c5057bee37d2c7
SHA512 5edb56842d5122675ba62c76a90edc685b63744ef2fb51adcf2e0d400dc9250d87fe9deabfd7fadd81067d9f347713e9718d196d696bc1a7f7222b9e47dd84b3

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 10:36

Reported

2024-05-30 10:38

Platform

win10v2004-20240426-en

Max time kernel

94s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4920 -ip 4920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 864

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsq2FCB.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

memory/4920-9-0x0000000002710000-0x000000000273E000-memory.dmp

memory/4920-11-0x0000000002710000-0x000000000273E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-30 10:36

Reported

2024-05-30 10:38

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 224

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-30 10:36

Reported

2024-05-30 10:38

Platform

win7-20240221-en

Max time kernel

119s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 228

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-30 10:36

Reported

2024-05-30 10:38

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 8fa298cda497c00f7fc3f66c5b833c18
SHA1 5ec6abbd95d5e6e11a88bf58da75588dc62356e4
SHA256 58e900d7fd20ec0e308d68cdeb6e45de9ee0ec5b25fe5853f854cfc6c12df6fb
SHA512 3845dff86122ccb1932db0abed4daf202d750938f1a46eb971851897deb79ab055bc0c86ca9c30a61d1f201d672fc6b247650e5c3cb3511e4d62c2c8a36f1f08

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 10:36

Reported

2024-05-30 10:38

Platform

win7-20240508-en

Max time kernel

119s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe"

Signatures

Cerber

ransomware cerber

Deletes shadow copies

ransomware defense_evasion impact execution

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Contacts a large (517) amount of remote hosts

discovery

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpD74C.bmp" C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_README_.hta C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe
PID 2140 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe
PID 2140 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe
PID 2140 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe
PID 2140 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe
PID 2960 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2664 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2664 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2960 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2960 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2960 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2960 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 2960 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 940 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 940 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 940 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 940 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 940 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 940 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic.exe shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\_README_.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "83ed601d78668f82bdd449f82d9f51c5_JaffaCakes118.exe"

C:\Windows\system32\PING.EXE

ping -n 1 127.0.0.1

Network

Country Destination Domain Proto
N/A 192.168.0.0:6892 udp
N/A 192.168.0.1:6892 udp
N/A 192.168.0.2:6892 udp
N/A 192.168.0.3:6892 udp
N/A 192.168.0.4:6892 udp
N/A 192.168.0.5:6892 udp
N/A 192.168.0.6:6892 udp
N/A 192.168.0.7:6892 udp
N/A 192.168.0.8:6892 udp
N/A 192.168.0.9:6892 udp
N/A 192.168.0.10:6892 udp
N/A 192.168.0.11:6892 udp
N/A 192.168.0.12:6892 udp
N/A 192.168.0.13:6892 udp
N/A 192.168.0.14:6892 udp
N/A 192.168.0.15:6892 udp
N/A 192.168.0.16:6892 udp
N/A 192.168.0.17:6892 udp
N/A 192.168.0.18:6892 udp
N/A 192.168.0.19:6892 udp
N/A 192.168.0.20:6892 udp
N/A 192.168.0.21:6892 udp
N/A 192.168.0.22:6892 udp
N/A 192.168.0.23:6892 udp
N/A 192.168.0.24:6892 udp
N/A 192.168.0.25:6892 udp
N/A 192.168.0.26:6892 udp
N/A 192.168.0.27:6892 udp
N/A 192.168.0.28:6892 udp
N/A 192.168.0.29:6892 udp
N/A 192.168.0.30:6892 udp
N/A 192.168.0.31:6892 udp
LT 194.165.16.0:6892 udp
LT 194.165.16.1:6892 udp
LT 194.165.16.2:6892 udp
LT 194.165.16.3:6892 udp
LT 194.165.16.4:6892 udp
LT 194.165.16.5:6892 udp
LT 194.165.16.6:6892 udp
LT 194.165.16.7:6892 udp
LT 194.165.16.8:6892 udp
LT 194.165.16.9:6892 udp
LT 194.165.16.10:6892 udp
LT 194.165.16.11:6892 udp
LT 194.165.16.12:6892 udp
LT 194.165.16.13:6892 udp
LT 194.165.16.14:6892 udp
LT 194.165.16.15:6892 udp
LT 194.165.16.16:6892 udp
LT 194.165.16.17:6892 udp
LT 194.165.16.18:6892 udp
LT 194.165.16.19:6892 udp
LT 194.165.16.20:6892 udp
LT 194.165.16.21:6892 udp
LT 194.165.16.22:6892 udp
LT 194.165.16.23:6892 udp
LT 194.165.16.24:6892 udp
LT 194.165.16.25:6892 udp
LT 194.165.16.26:6892 udp
LT 194.165.16.27:6892 udp
LT 194.165.16.28:6892 udp
LT 194.165.16.29:6892 udp
LT 194.165.16.30:6892 udp
LT 194.165.16.31:6892 udp
LT 194.165.16.32:6892 udp
LT 194.165.16.33:6892 udp
LT 194.165.16.34:6892 udp
LT 194.165.16.35:6892 udp
LT 194.165.16.36:6892 udp
LT 194.165.16.37:6892 udp
LT 194.165.16.38:6892 udp
LT 194.165.16.39:6892 udp
LT 194.165.16.40:6892 udp
LT 194.165.16.41:6892 udp
LT 194.165.16.42:6892 udp
LT 194.165.16.43:6892 udp
LT 194.165.16.44:6892 udp
LT 194.165.16.45:6892 udp
LT 194.165.16.46:6892 udp
LT 194.165.16.47:6892 udp
LT 194.165.16.48:6892 udp
LT 194.165.16.49:6892 udp
LT 194.165.16.50:6892 udp
LT 194.165.16.51:6892 udp
LT 194.165.16.52:6892 udp
LT 194.165.16.53:6892 udp
LT 194.165.16.54:6892 udp
LT 194.165.16.55:6892 udp
LT 194.165.16.56:6892 udp
LT 194.165.16.57:6892 udp
LT 194.165.16.58:6892 udp
LT 194.165.16.59:6892 udp
LT 194.165.16.60:6892 udp
LT 194.165.16.61:6892 udp
LT 194.165.16.62:6892 udp
LT 194.165.16.63:6892 udp
LT 194.165.16.64:6892 udp
LT 194.165.16.65:6892 udp
LT 194.165.16.66:6892 udp
LT 194.165.16.67:6892 udp
LT 194.165.16.68:6892 udp
LT 194.165.16.69:6892 udp
LT 194.165.16.70:6892 udp
LT 194.165.16.71:6892 udp
LT 194.165.16.72:6892 udp
LT 194.165.16.73:6892 udp
LT 194.165.16.74:6892 udp
LT 194.165.16.75:6892 udp
LT 194.165.16.76:6892 udp
LT 194.165.16.77:6892 udp
LT 194.165.16.78:6892 udp
LT 194.165.16.79:6892 udp
LT 194.165.16.80:6892 udp
LT 194.165.16.81:6892 udp
LT 194.165.16.82:6892 udp
LT 194.165.16.83:6892 udp
LT 194.165.16.84:6892 udp
LT 194.165.16.85:6892 udp
LT 194.165.16.86:6892 udp
LT 194.165.16.87:6892 udp
LT 194.165.16.88:6892 udp
LT 194.165.16.89:6892 udp
LT 194.165.16.90:6892 udp
LT 194.165.16.91:6892 udp
LT 194.165.16.92:6892 udp
LT 194.165.16.93:6892 udp
LT 194.165.16.94:6892 udp
LT 194.165.16.95:6892 udp
LT 194.165.16.96:6892 udp
LT 194.165.16.97:6892 udp
LT 194.165.16.98:6892 udp
LT 194.165.16.99:6892 udp
LT 194.165.16.100:6892 udp
LT 194.165.16.101:6892 udp
LT 194.165.16.102:6892 udp
LT 194.165.16.103:6892 udp
LT 194.165.16.104:6892 udp
LT 194.165.16.105:6892 udp
LT 194.165.16.106:6892 udp
LT 194.165.16.107:6892 udp
LT 194.165.16.108:6892 udp
LT 194.165.16.109:6892 udp
LT 194.165.16.110:6892 udp
LT 194.165.16.111:6892 udp
LT 194.165.16.112:6892 udp
LT 194.165.16.113:6892 udp
LT 194.165.16.114:6892 udp
LT 194.165.16.115:6892 udp
LT 194.165.16.116:6892 udp
LT 194.165.16.117:6892 udp
LT 194.165.16.118:6892 udp
LT 194.165.16.119:6892 udp
LT 194.165.16.120:6892 udp
LT 194.165.16.121:6892 udp
LT 194.165.16.122:6892 udp
LT 194.165.16.123:6892 udp
LT 194.165.16.124:6892 udp
LT 194.165.16.125:6892 udp
LT 194.165.16.126:6892 udp
LT 194.165.16.127:6892 udp
LT 194.165.16.128:6892 udp
LT 194.165.16.129:6892 udp
LT 194.165.16.130:6892 udp
LT 194.165.16.131:6892 udp
LT 194.165.16.132:6892 udp
LT 194.165.16.133:6892 udp
LT 194.165.16.134:6892 udp
LT 194.165.16.135:6892 udp
LT 194.165.16.136:6892 udp
LT 194.165.16.137:6892 udp
LT 194.165.16.138:6892 udp
LT 194.165.16.139:6892 udp
LT 194.165.16.140:6892 udp
LT 194.165.16.141:6892 udp
LT 194.165.16.142:6892 udp
LT 194.165.16.143:6892 udp
LT 194.165.16.144:6892 udp
LT 194.165.16.145:6892 udp
LT 194.165.16.146:6892 udp
LT 194.165.16.147:6892 udp
LT 194.165.16.148:6892 udp
LT 194.165.16.149:6892 udp
LT 194.165.16.150:6892 udp
LT 194.165.16.151:6892 udp
LT 194.165.16.152:6892 udp
LT 194.165.16.153:6892 udp
LT 194.165.16.154:6892 udp
LT 194.165.16.155:6892 udp
LT 194.165.16.156:6892 udp
LT 194.165.16.157:6892 udp
LT 194.165.16.158:6892 udp
LT 194.165.16.159:6892 udp
LT 194.165.16.160:6892 udp
LT 194.165.16.161:6892 udp
LT 194.165.16.162:6892 udp
LT 194.165.16.163:6892 udp
LT 194.165.16.164:6892 udp
LT 194.165.16.165:6892 udp
LT 194.165.16.166:6892 udp
LT 194.165.16.167:6892 udp
LT 194.165.16.168:6892 udp
LT 194.165.16.169:6892 udp
LT 194.165.16.170:6892 udp
LT 194.165.16.171:6892 udp
LT 194.165.16.172:6892 udp
LT 194.165.16.173:6892 udp
LT 194.165.16.174:6892 udp
LT 194.165.16.175:6892 udp
LT 194.165.16.176:6892 udp
LT 194.165.16.177:6892 udp
LT 194.165.16.178:6892 udp
LT 194.165.16.179:6892 udp
LT 194.165.16.180:6892 udp
LT 194.165.16.181:6892 udp
LT 194.165.16.182:6892 udp
LT 194.165.16.183:6892 udp
LT 194.165.16.184:6892 udp
LT 194.165.16.185:6892 udp
LT 194.165.16.186:6892 udp
LT 194.165.16.187:6892 udp
LT 194.165.16.188:6892 udp
LT 194.165.16.189:6892 udp
LT 194.165.16.190:6892 udp
LT 194.165.16.191:6892 udp
LT 194.165.16.192:6892 udp
LT 194.165.16.193:6892 udp
LT 194.165.16.194:6892 udp
LT 194.165.16.195:6892 udp
LT 194.165.16.196:6892 udp
LT 194.165.16.197:6892 udp
LT 194.165.16.198:6892 udp
LT 194.165.16.199:6892 udp
LT 194.165.16.200:6892 udp
LT 194.165.16.201:6892 udp
LT 194.165.16.202:6892 udp
LT 194.165.16.203:6892 udp
LT 194.165.16.204:6892 udp
LT 194.165.16.205:6892 udp
LT 194.165.16.206:6892 udp
LT 194.165.16.207:6892 udp
LT 194.165.16.208:6892 udp
LT 194.165.16.209:6892 udp
LT 194.165.16.210:6892 udp
LT 194.165.16.211:6892 udp
LT 194.165.16.212:6892 udp
LT 194.165.16.213:6892 udp
LT 194.165.16.214:6892 udp
LT 194.165.16.215:6892 udp
LT 194.165.16.216:6892 udp
LT 194.165.16.217:6892 udp
LT 194.165.16.218:6892 udp
LT 194.165.16.219:6892 udp
LT 194.165.16.220:6892 udp
LT 194.165.16.221:6892 udp
LT 194.165.16.222:6892 udp
LT 194.165.16.223:6892 udp
LT 194.165.16.224:6892 udp
LT 194.165.16.225:6892 udp
LT 194.165.16.226:6892 udp
LT 194.165.16.227:6892 udp
LT 194.165.16.228:6892 udp
LT 194.165.16.229:6892 udp
LT 194.165.16.230:6892 udp
LT 194.165.16.231:6892 udp
LT 194.165.16.232:6892 udp
LT 194.165.16.233:6892 udp
LT 194.165.16.234:6892 udp
LT 194.165.16.235:6892 udp
LT 194.165.16.236:6892 udp
LT 194.165.16.237:6892 udp
LT 194.165.16.238:6892 udp
LT 194.165.16.239:6892 udp
LT 194.165.16.240:6892 udp
LT 194.165.16.241:6892 udp
LT 194.165.16.242:6892 udp
LT 194.165.16.243:6892 udp
LT 194.165.16.244:6892 udp
LT 194.165.16.245:6892 udp
LT 194.165.16.246:6892 udp
LT 194.165.16.247:6892 udp
LT 194.165.16.248:6892 udp
LT 194.165.16.249:6892 udp
LT 194.165.16.250:6892 udp
LT 194.165.16.251:6892 udp
LT 194.165.16.252:6892 udp
LT 194.165.16.253:6892 udp
LT 194.165.16.254:6892 udp
N/A 127.0.0.0:6892 udp
N/A 127.0.0.1:6892 udp
N/A 127.0.0.2:6892 udp
N/A 127.0.0.3:6892 udp
N/A 127.0.0.4:6892 udp
N/A 127.0.0.5:6892 udp
N/A 127.0.0.6:6892 udp
N/A 127.0.0.7:6892 udp
N/A 127.0.0.8:6892 udp
N/A 127.0.0.9:6892 udp
N/A 127.0.0.10:6892 udp
N/A 127.0.0.11:6892 udp
N/A 127.0.0.12:6892 udp
N/A 127.0.0.13:6892 udp
N/A 127.0.0.14:6892 udp
N/A 127.0.0.15:6892 udp
N/A 127.0.0.16:6892 udp
N/A 127.0.0.17:6892 udp
N/A 127.0.0.18:6892 udp
N/A 127.0.0.19:6892 udp
N/A 127.0.0.20:6892 udp
N/A 127.0.0.21:6892 udp
N/A 127.0.0.22:6892 udp
N/A 127.0.0.23:6892 udp
N/A 127.0.0.24:6892 udp
N/A 127.0.0.25:6892 udp
N/A 127.0.0.26:6892 udp
N/A 127.0.0.27:6892 udp
N/A 127.0.0.28:6892 udp
N/A 127.0.0.29:6892 udp
N/A 127.0.0.30:6892 udp
N/A 127.0.0.31:6892 udp
LT 194.165.16.255:6892 udp
LT 194.165.17.0:6892 udp
LT 194.165.17.1:6892 udp
LT 194.165.17.2:6892 udp
LT 194.165.17.3:6892 udp
LT 194.165.17.4:6892 udp
LT 194.165.17.5:6892 udp
LT 194.165.17.6:6892 udp
LT 194.165.17.7:6892 udp
LT 194.165.17.8:6892 udp
LT 194.165.17.9:6892 udp
LT 194.165.17.10:6892 udp
LT 194.165.17.11:6892 udp
LT 194.165.17.12:6892 udp
LT 194.165.17.13:6892 udp
LT 194.165.17.14:6892 udp
LT 194.165.17.15:6892 udp
LT 194.165.17.16:6892 udp
LT 194.165.17.17:6892 udp
LT 194.165.17.18:6892 udp
LT 194.165.17.19:6892 udp
LT 194.165.17.20:6892 udp
LT 194.165.17.21:6892 udp
LT 194.165.17.22:6892 udp
LT 194.165.17.23:6892 udp
LT 194.165.17.24:6892 udp
LT 194.165.17.25:6892 udp
LT 194.165.17.26:6892 udp
LT 194.165.17.27:6892 udp
LT 194.165.17.28:6892 udp
LT 194.165.17.29:6892 udp
LT 194.165.17.30:6892 udp
LT 194.165.17.31:6892 udp
LT 194.165.17.32:6892 udp
LT 194.165.17.33:6892 udp
LT 194.165.17.34:6892 udp
LT 194.165.17.35:6892 udp
LT 194.165.17.36:6892 udp
LT 194.165.17.37:6892 udp
LT 194.165.17.38:6892 udp
LT 194.165.17.39:6892 udp
LT 194.165.17.40:6892 udp
LT 194.165.17.41:6892 udp
LT 194.165.17.42:6892 udp
LT 194.165.17.43:6892 udp
LT 194.165.17.44:6892 udp
LT 194.165.17.45:6892 udp
LT 194.165.17.46:6892 udp
LT 194.165.17.47:6892 udp
LT 194.165.17.48:6892 udp
LT 194.165.17.49:6892 udp
LT 194.165.17.50:6892 udp
LT 194.165.17.51:6892 udp
LT 194.165.17.52:6892 udp
LT 194.165.17.53:6892 udp
LT 194.165.17.54:6892 udp
LT 194.165.17.55:6892 udp
LT 194.165.17.56:6892 udp
LT 194.165.17.57:6892 udp
LT 194.165.17.58:6892 udp
LT 194.165.17.59:6892 udp
LT 194.165.17.60:6892 udp
LT 194.165.17.61:6892 udp
LT 194.165.17.62:6892 udp
LT 194.165.17.63:6892 udp
LT 194.165.17.64:6892 udp
LT 194.165.17.65:6892 udp
LT 194.165.17.66:6892 udp
LT 194.165.17.67:6892 udp
LT 194.165.17.68:6892 udp
LT 194.165.17.69:6892 udp
LT 194.165.17.70:6892 udp
LT 194.165.17.71:6892 udp
LT 194.165.17.72:6892 udp
LT 194.165.17.73:6892 udp
LT 194.165.17.74:6892 udp
LT 194.165.17.75:6892 udp
LT 194.165.17.76:6892 udp
LT 194.165.17.77:6892 udp
LT 194.165.17.78:6892 udp
LT 194.165.17.79:6892 udp
LT 194.165.17.80:6892 udp
LT 194.165.17.81:6892 udp
LT 194.165.17.82:6892 udp
LT 194.165.17.83:6892 udp
LT 194.165.17.84:6892 udp
LT 194.165.17.85:6892 udp
LT 194.165.17.86:6892 udp
LT 194.165.17.87:6892 udp
LT 194.165.17.88:6892 udp
LT 194.165.17.89:6892 udp
LT 194.165.17.90:6892 udp
LT 194.165.17.91:6892 udp
LT 194.165.17.92:6892 udp
LT 194.165.17.93:6892 udp
LT 194.165.17.94:6892 udp
LT 194.165.17.95:6892 udp
LT 194.165.17.96:6892 udp
LT 194.165.17.97:6892 udp
LT 194.165.17.98:6892 udp
LT 194.165.17.99:6892 udp
LT 194.165.17.100:6892 udp
LT 194.165.17.101:6892 udp
LT 194.165.17.102:6892 udp
LT 194.165.17.103:6892 udp
LT 194.165.17.104:6892 udp
LT 194.165.17.105:6892 udp
LT 194.165.17.106:6892 udp
LT 194.165.17.107:6892 udp
LT 194.165.17.108:6892 udp
LT 194.165.17.109:6892 udp
LT 194.165.17.110:6892 udp
LT 194.165.17.111:6892 udp
LT 194.165.17.112:6892 udp
LT 194.165.17.113:6892 udp
LT 194.165.17.114:6892 udp
LT 194.165.17.115:6892 udp
LT 194.165.17.116:6892 udp
LT 194.165.17.117:6892 udp
LT 194.165.17.118:6892 udp
LT 194.165.17.119:6892 udp
LT 194.165.17.120:6892 udp
LT 194.165.17.121:6892 udp
LT 194.165.17.122:6892 udp
LT 194.165.17.123:6892 udp
LT 194.165.17.124:6892 udp
LT 194.165.17.125:6892 udp
LT 194.165.17.126:6892 udp
LT 194.165.17.127:6892 udp
LT 194.165.17.128:6892 udp
LT 194.165.17.129:6892 udp
LT 194.165.17.130:6892 udp
LT 194.165.17.131:6892 udp
LT 194.165.17.132:6892 udp
LT 194.165.17.133:6892 udp
LT 194.165.17.134:6892 udp
LT 194.165.17.135:6892 udp
LT 194.165.17.136:6892 udp
LT 194.165.17.137:6892 udp
LT 194.165.17.138:6892 udp
LT 194.165.17.139:6892 udp
LT 194.165.17.140:6892 udp
LT 194.165.17.141:6892 udp
LT 194.165.17.142:6892 udp
LT 194.165.17.143:6892 udp
LT 194.165.17.144:6892 udp
LT 194.165.17.145:6892 udp
LT 194.165.17.146:6892 udp
LT 194.165.17.147:6892 udp
LT 194.165.17.148:6892 udp
LT 194.165.17.149:6892 udp
LT 194.165.17.150:6892 udp
LT 194.165.17.151:6892 udp
LT 194.165.17.152:6892 udp
LT 194.165.17.153:6892 udp
LT 194.165.17.154:6892 udp
LT 194.165.17.155:6892 udp
LT 194.165.17.156:6892 udp
LT 194.165.17.157:6892 udp
LT 194.165.17.158:6892 udp
LT 194.165.17.159:6892 udp
LT 194.165.17.160:6892 udp
LT 194.165.17.161:6892 udp
LT 194.165.17.162:6892 udp
LT 194.165.17.163:6892 udp
LT 194.165.17.164:6892 udp
LT 194.165.17.165:6892 udp
LT 194.165.17.166:6892 udp
LT 194.165.17.167:6892 udp
LT 194.165.17.168:6892 udp
LT 194.165.17.169:6892 udp
LT 194.165.17.170:6892 udp
LT 194.165.17.171:6892 udp
LT 194.165.17.172:6892 udp
LT 194.165.17.173:6892 udp
LT 194.165.17.174:6892 udp
LT 194.165.17.175:6892 udp
LT 194.165.17.176:6892 udp
LT 194.165.17.177:6892 udp
LT 194.165.17.178:6892 udp
LT 194.165.17.179:6892 udp
LT 194.165.17.180:6892 udp
LT 194.165.17.181:6892 udp
LT 194.165.17.182:6892 udp
LT 194.165.17.183:6892 udp
LT 194.165.17.184:6892 udp
LT 194.165.17.185:6892 udp
LT 194.165.17.186:6892 udp
LT 194.165.17.187:6892 udp
LT 194.165.17.188:6892 udp
LT 194.165.17.189:6892 udp
LT 194.165.17.190:6892 udp
LT 194.165.17.191:6892 udp
LT 194.165.17.192:6892 udp
LT 194.165.17.193:6892 udp
LT 194.165.17.194:6892 udp
LT 194.165.17.195:6892 udp
LT 194.165.17.196:6892 udp
LT 194.165.17.197:6892 udp
LT 194.165.17.198:6892 udp
LT 194.165.17.199:6892 udp
LT 194.165.17.200:6892 udp
LT 194.165.17.201:6892 udp
LT 194.165.17.202:6892 udp
LT 194.165.17.203:6892 udp
LT 194.165.17.204:6892 udp
LT 194.165.17.205:6892 udp
LT 194.165.17.206:6892 udp
LT 194.165.17.207:6892 udp
LT 194.165.17.208:6892 udp
LT 194.165.17.209:6892 udp
LT 194.165.17.210:6892 udp
LT 194.165.17.211:6892 udp
LT 194.165.17.212:6892 udp
LT 194.165.17.213:6892 udp
LT 194.165.17.214:6892 udp
LT 194.165.17.215:6892 udp
LT 194.165.17.216:6892 udp
LT 194.165.17.217:6892 udp
LT 194.165.17.218:6892 udp
LT 194.165.17.219:6892 udp
LT 194.165.17.220:6892 udp
LT 194.165.17.221:6892 udp
LT 194.165.17.222:6892 udp
LT 194.165.17.223:6892 udp
LT 194.165.17.224:6892 udp
LT 194.165.17.225:6892 udp
LT 194.165.17.226:6892 udp
LT 194.165.17.227:6892 udp
LT 194.165.17.228:6892 udp
LT 194.165.17.229:6892 udp
LT 194.165.17.230:6892 udp
LT 194.165.17.231:6892 udp
LT 194.165.17.232:6892 udp
LT 194.165.17.233:6892 udp
LT 194.165.17.234:6892 udp
LT 194.165.17.235:6892 udp
LT 194.165.17.236:6892 udp
LT 194.165.17.237:6892 udp
LT 194.165.17.238:6892 udp
LT 194.165.17.239:6892 udp
LT 194.165.17.240:6892 udp
LT 194.165.17.241:6892 udp
LT 194.165.17.242:6892 udp
LT 194.165.17.243:6892 udp
LT 194.165.17.244:6892 udp
LT 194.165.17.245:6892 udp
LT 194.165.17.246:6892 udp
LT 194.165.17.247:6892 udp
LT 194.165.17.248:6892 udp
LT 194.165.17.249:6892 udp
LT 194.165.17.250:6892 udp
LT 194.165.17.251:6892 udp
LT 194.165.17.252:6892 udp
LT 194.165.17.253:6892 udp
LT 194.165.17.254:6892 udp
LT 194.165.17.255:6892 udp
N/A 127.0.0.0:6892 udp
N/A 127.0.0.1:6892 udp
N/A 127.0.0.2:6892 udp
N/A 127.0.0.3:6892 udp
N/A 127.0.0.4:6892 udp
N/A 127.0.0.5:6892 udp
N/A 127.0.0.6:6892 udp
N/A 127.0.0.7:6892 udp
N/A 127.0.0.8:6892 udp
N/A 127.0.0.9:6892 udp
N/A 127.0.0.10:6892 udp
N/A 127.0.0.11:6892 udp
N/A 127.0.0.12:6892 udp
N/A 127.0.0.13:6892 udp
N/A 127.0.0.14:6892 udp
N/A 127.0.0.15:6892 udp
N/A 127.0.0.16:6892 udp
N/A 127.0.0.17:6892 udp
N/A 127.0.0.18:6892 udp
N/A 127.0.0.19:6892 udp
N/A 127.0.0.20:6892 udp
N/A 127.0.0.21:6892 udp
N/A 127.0.0.22:6892 udp
N/A 127.0.0.23:6892 udp
N/A 127.0.0.24:6892 udp
N/A 127.0.0.25:6892 udp
N/A 127.0.0.26:6892 udp
N/A 127.0.0.27:6892 udp
N/A 127.0.0.28:6892 udp
N/A 127.0.0.29:6892 udp
N/A 127.0.0.30:6892 udp
N/A 127.0.0.31:6892 udp
N/A 192.168.0.0:6892 udp
N/A 192.168.0.1:6892 udp
N/A 192.168.0.2:6892 udp
N/A 192.168.0.3:6892 udp
N/A 192.168.0.4:6892 udp
N/A 192.168.0.5:6892 udp
N/A 192.168.0.6:6892 udp
N/A 192.168.0.7:6892 udp
N/A 192.168.0.8:6892 udp
N/A 192.168.0.9:6892 udp
N/A 192.168.0.10:6892 udp
N/A 192.168.0.11:6892 udp
N/A 192.168.0.12:6892 udp
N/A 192.168.0.13:6892 udp
N/A 192.168.0.14:6892 udp
N/A 192.168.0.15:6892 udp
N/A 192.168.0.16:6892 udp
N/A 192.168.0.17:6892 udp
N/A 192.168.0.18:6892 udp
N/A 192.168.0.19:6892 udp
N/A 192.168.0.20:6892 udp
N/A 192.168.0.21:6892 udp
N/A 192.168.0.22:6892 udp
N/A 192.168.0.23:6892 udp
N/A 192.168.0.24:6892 udp
N/A 192.168.0.25:6892 udp
N/A 192.168.0.26:6892 udp
N/A 192.168.0.27:6892 udp
N/A 192.168.0.28:6892 udp
N/A 192.168.0.29:6892 udp
N/A 192.168.0.30:6892 udp
N/A 192.168.0.31:6892 udp
LT 194.165.16.0:6892 udp
LT 194.165.16.1:6892 udp
LT 194.165.16.2:6892 udp
LT 194.165.16.3:6892 udp
LT 194.165.16.4:6892 udp
LT 194.165.16.5:6892 udp
LT 194.165.16.6:6892 udp
LT 194.165.16.7:6892 udp
LT 194.165.16.8:6892 udp
LT 194.165.16.9:6892 udp
LT 194.165.16.10:6892 udp
LT 194.165.16.11:6892 udp
LT 194.165.16.12:6892 udp
LT 194.165.16.13:6892 udp
LT 194.165.16.14:6892 udp
LT 194.165.16.15:6892 udp
LT 194.165.16.16:6892 udp
LT 194.165.16.17:6892 udp
LT 194.165.16.18:6892 udp
LT 194.165.16.19:6892 udp
LT 194.165.16.20:6892 udp
LT 194.165.16.21:6892 udp
LT 194.165.16.22:6892 udp
LT 194.165.16.23:6892 udp
LT 194.165.16.24:6892 udp
LT 194.165.16.25:6892 udp
LT 194.165.16.26:6892 udp
LT 194.165.16.27:6892 udp
LT 194.165.16.28:6892 udp
LT 194.165.16.29:6892 udp
LT 194.165.16.30:6892 udp
LT 194.165.16.31:6892 udp
LT 194.165.16.32:6892 udp
LT 194.165.16.33:6892 udp
LT 194.165.16.34:6892 udp
LT 194.165.16.35:6892 udp
LT 194.165.16.36:6892 udp
LT 194.165.16.37:6892 udp
LT 194.165.16.38:6892 udp
LT 194.165.16.39:6892 udp
LT 194.165.16.40:6892 udp
LT 194.165.16.41:6892 udp
LT 194.165.16.42:6892 udp
LT 194.165.16.43:6892 udp
LT 194.165.16.44:6892 udp
LT 194.165.16.45:6892 udp
LT 194.165.16.46:6892 udp
LT 194.165.16.47:6892 udp
LT 194.165.16.48:6892 udp
LT 194.165.16.49:6892 udp
LT 194.165.16.50:6892 udp
LT 194.165.16.51:6892 udp
LT 194.165.16.52:6892 udp
LT 194.165.16.53:6892 udp
LT 194.165.16.54:6892 udp
LT 194.165.16.55:6892 udp
LT 194.165.16.56:6892 udp
LT 194.165.16.57:6892 udp
LT 194.165.16.58:6892 udp
LT 194.165.16.59:6892 udp
LT 194.165.16.60:6892 udp
LT 194.165.16.61:6892 udp
LT 194.165.16.62:6892 udp
LT 194.165.16.63:6892 udp
LT 194.165.16.64:6892 udp
LT 194.165.16.65:6892 udp
LT 194.165.16.66:6892 udp
LT 194.165.16.67:6892 udp
LT 194.165.16.68:6892 udp
LT 194.165.16.69:6892 udp
LT 194.165.16.70:6892 udp
LT 194.165.16.71:6892 udp
LT 194.165.16.72:6892 udp
LT 194.165.16.73:6892 udp
LT 194.165.16.74:6892 udp
LT 194.165.16.75:6892 udp
LT 194.165.16.76:6892 udp
LT 194.165.16.77:6892 udp
LT 194.165.16.78:6892 udp
LT 194.165.16.79:6892 udp
LT 194.165.16.80:6892 udp
LT 194.165.16.81:6892 udp
LT 194.165.16.82:6892 udp
LT 194.165.16.83:6892 udp
LT 194.165.16.84:6892 udp
LT 194.165.16.85:6892 udp
LT 194.165.16.86:6892 udp
LT 194.165.16.87:6892 udp
LT 194.165.16.88:6892 udp
LT 194.165.16.89:6892 udp
LT 194.165.16.90:6892 udp
LT 194.165.16.91:6892 udp
LT 194.165.16.92:6892 udp
LT 194.165.16.93:6892 udp
LT 194.165.16.94:6892 udp
LT 194.165.16.95:6892 udp
LT 194.165.16.96:6892 udp
LT 194.165.16.97:6892 udp
LT 194.165.16.98:6892 udp
LT 194.165.16.99:6892 udp
LT 194.165.16.100:6892 udp
LT 194.165.16.101:6892 udp
LT 194.165.16.102:6892 udp
LT 194.165.16.103:6892 udp
LT 194.165.16.104:6892 udp
LT 194.165.16.105:6892 udp
LT 194.165.16.106:6892 udp
LT 194.165.16.107:6892 udp
LT 194.165.16.108:6892 udp
LT 194.165.16.109:6892 udp
LT 194.165.16.110:6892 udp
LT 194.165.16.111:6892 udp
LT 194.165.16.112:6892 udp
LT 194.165.16.113:6892 udp
LT 194.165.16.114:6892 udp
LT 194.165.16.115:6892 udp
LT 194.165.16.116:6892 udp
LT 194.165.16.117:6892 udp
LT 194.165.16.118:6892 udp
LT 194.165.16.119:6892 udp
LT 194.165.16.120:6892 udp
LT 194.165.16.121:6892 udp
LT 194.165.16.122:6892 udp
LT 194.165.16.123:6892 udp
LT 194.165.16.124:6892 udp
LT 194.165.16.125:6892 udp
LT 194.165.16.126:6892 udp
LT 194.165.16.127:6892 udp
LT 194.165.16.128:6892 udp
LT 194.165.16.129:6892 udp
LT 194.165.16.130:6892 udp
LT 194.165.16.131:6892 udp
LT 194.165.16.132:6892 udp
LT 194.165.16.133:6892 udp
LT 194.165.16.134:6892 udp
LT 194.165.16.135:6892 udp
LT 194.165.16.136:6892 udp
LT 194.165.16.137:6892 udp
LT 194.165.16.138:6892 udp
LT 194.165.16.139:6892 udp
LT 194.165.16.140:6892 udp
LT 194.165.16.141:6892 udp
LT 194.165.16.142:6892 udp
LT 194.165.16.143:6892 udp
LT 194.165.16.144:6892 udp
LT 194.165.16.145:6892 udp
LT 194.165.16.146:6892 udp
LT 194.165.16.147:6892 udp
LT 194.165.16.148:6892 udp
LT 194.165.16.149:6892 udp
LT 194.165.16.150:6892 udp
LT 194.165.16.151:6892 udp
LT 194.165.16.152:6892 udp
LT 194.165.16.153:6892 udp
LT 194.165.16.154:6892 udp
LT 194.165.16.155:6892 udp
LT 194.165.16.156:6892 udp
LT 194.165.16.157:6892 udp
LT 194.165.16.158:6892 udp
LT 194.165.16.159:6892 udp
LT 194.165.16.160:6892 udp
LT 194.165.16.161:6892 udp
LT 194.165.16.162:6892 udp
LT 194.165.16.163:6892 udp
LT 194.165.16.164:6892 udp
LT 194.165.16.165:6892 udp
LT 194.165.16.166:6892 udp
LT 194.165.16.167:6892 udp
LT 194.165.16.168:6892 udp
LT 194.165.16.169:6892 udp
LT 194.165.16.170:6892 udp
LT 194.165.16.171:6892 udp
LT 194.165.16.172:6892 udp
LT 194.165.16.173:6892 udp
LT 194.165.16.174:6892 udp
LT 194.165.16.175:6892 udp
LT 194.165.16.176:6892 udp
LT 194.165.16.177:6892 udp
LT 194.165.16.178:6892 udp
LT 194.165.16.179:6892 udp
LT 194.165.16.180:6892 udp
LT 194.165.16.181:6892 udp
LT 194.165.16.182:6892 udp
LT 194.165.16.183:6892 udp
LT 194.165.16.184:6892 udp
LT 194.165.16.185:6892 udp
LT 194.165.16.186:6892 udp
LT 194.165.16.187:6892 udp
LT 194.165.16.188:6892 udp
LT 194.165.16.189:6892 udp
LT 194.165.16.190:6892 udp
LT 194.165.16.191:6892 udp
LT 194.165.16.192:6892 udp
LT 194.165.16.193:6892 udp
LT 194.165.16.194:6892 udp
LT 194.165.16.195:6892 udp
LT 194.165.16.196:6892 udp
LT 194.165.16.197:6892 udp
LT 194.165.16.198:6892 udp
LT 194.165.16.199:6892 udp
LT 194.165.16.200:6892 udp
LT 194.165.16.201:6892 udp
LT 194.165.16.202:6892 udp
LT 194.165.16.203:6892 udp
LT 194.165.16.204:6892 udp
LT 194.165.16.205:6892 udp
LT 194.165.16.206:6892 udp
LT 194.165.16.207:6892 udp
LT 194.165.16.208:6892 udp
LT 194.165.16.209:6892 udp
LT 194.165.16.210:6892 udp
LT 194.165.16.211:6892 udp
LT 194.165.16.212:6892 udp
LT 194.165.16.213:6892 udp
LT 194.165.16.214:6892 udp
LT 194.165.16.215:6892 udp
LT 194.165.16.216:6892 udp
LT 194.165.16.217:6892 udp
LT 194.165.16.218:6892 udp
LT 194.165.16.219:6892 udp
LT 194.165.16.220:6892 udp
LT 194.165.16.221:6892 udp
LT 194.165.16.222:6892 udp
LT 194.165.16.223:6892 udp
LT 194.165.16.224:6892 udp
LT 194.165.16.225:6892 udp
LT 194.165.16.226:6892 udp
LT 194.165.16.227:6892 udp
LT 194.165.16.228:6892 udp
LT 194.165.16.229:6892 udp
LT 194.165.16.230:6892 udp
LT 194.165.16.231:6892 udp
LT 194.165.16.232:6892 udp
LT 194.165.16.233:6892 udp
LT 194.165.16.234:6892 udp
LT 194.165.16.235:6892 udp
LT 194.165.16.236:6892 udp
LT 194.165.16.237:6892 udp
LT 194.165.16.238:6892 udp
LT 194.165.16.239:6892 udp
LT 194.165.16.240:6892 udp
LT 194.165.16.241:6892 udp
LT 194.165.16.242:6892 udp
LT 194.165.16.243:6892 udp
LT 194.165.16.244:6892 udp
LT 194.165.16.245:6892 udp
LT 194.165.16.246:6892 udp
LT 194.165.16.247:6892 udp
LT 194.165.16.248:6892 udp
LT 194.165.16.249:6892 udp
LT 194.165.16.250:6892 udp
LT 194.165.16.251:6892 udp
LT 194.165.16.252:6892 udp
LT 194.165.16.253:6892 udp
LT 194.165.16.254:6892 udp
LT 194.165.16.255:6892 udp
LT 194.165.17.0:6892 udp
LT 194.165.17.1:6892 udp
LT 194.165.17.2:6892 udp
LT 194.165.17.3:6892 udp
LT 194.165.17.4:6892 udp
LT 194.165.17.5:6892 udp
LT 194.165.17.6:6892 udp
LT 194.165.17.7:6892 udp
LT 194.165.17.8:6892 udp
LT 194.165.17.9:6892 udp
LT 194.165.17.10:6892 udp
LT 194.165.17.11:6892 udp
LT 194.165.17.12:6892 udp
LT 194.165.17.13:6892 udp
LT 194.165.17.14:6892 udp
LT 194.165.17.15:6892 udp
LT 194.165.17.16:6892 udp
LT 194.165.17.17:6892 udp
LT 194.165.17.18:6892 udp
LT 194.165.17.19:6892 udp
LT 194.165.17.20:6892 udp
LT 194.165.17.21:6892 udp
LT 194.165.17.22:6892 udp
LT 194.165.17.23:6892 udp
LT 194.165.17.24:6892 udp
LT 194.165.17.25:6892 udp
LT 194.165.17.26:6892 udp
LT 194.165.17.27:6892 udp
LT 194.165.17.28:6892 udp
LT 194.165.17.29:6892 udp
LT 194.165.17.30:6892 udp
LT 194.165.17.31:6892 udp
LT 194.165.17.32:6892 udp
LT 194.165.17.33:6892 udp
LT 194.165.17.34:6892 udp
LT 194.165.17.35:6892 udp
LT 194.165.17.36:6892 udp
LT 194.165.17.37:6892 udp
LT 194.165.17.38:6892 udp
LT 194.165.17.39:6892 udp
LT 194.165.17.40:6892 udp
LT 194.165.17.41:6892 udp
LT 194.165.17.42:6892 udp
LT 194.165.17.43:6892 udp
LT 194.165.17.44:6892 udp
LT 194.165.17.45:6892 udp
LT 194.165.17.46:6892 udp
LT 194.165.17.47:6892 udp
LT 194.165.17.48:6892 udp
LT 194.165.17.49:6892 udp
LT 194.165.17.50:6892 udp
LT 194.165.17.51:6892 udp
LT 194.165.17.52:6892 udp
LT 194.165.17.53:6892 udp
LT 194.165.17.54:6892 udp
LT 194.165.17.55:6892 udp
LT 194.165.17.56:6892 udp
LT 194.165.17.57:6892 udp
LT 194.165.17.58:6892 udp
LT 194.165.17.59:6892 udp
LT 194.165.17.60:6892 udp
LT 194.165.17.61:6892 udp
LT 194.165.17.62:6892 udp
LT 194.165.17.63:6892 udp
LT 194.165.17.64:6892 udp
LT 194.165.17.65:6892 udp
LT 194.165.17.66:6892 udp
LT 194.165.17.67:6892 udp
LT 194.165.17.68:6892 udp
LT 194.165.17.69:6892 udp
LT 194.165.17.70:6892 udp
LT 194.165.17.71:6892 udp
LT 194.165.17.72:6892 udp
LT 194.165.17.73:6892 udp
LT 194.165.17.74:6892 udp
LT 194.165.17.75:6892 udp
LT 194.165.17.76:6892 udp
LT 194.165.17.77:6892 udp
LT 194.165.17.78:6892 udp
LT 194.165.17.79:6892 udp
LT 194.165.17.80:6892 udp
LT 194.165.17.81:6892 udp
LT 194.165.17.82:6892 udp
LT 194.165.17.83:6892 udp
LT 194.165.17.84:6892 udp
LT 194.165.17.85:6892 udp
LT 194.165.17.86:6892 udp
LT 194.165.17.87:6892 udp
LT 194.165.17.88:6892 udp
LT 194.165.17.89:6892 udp
LT 194.165.17.90:6892 udp
LT 194.165.17.91:6892 udp
LT 194.165.17.92:6892 udp
LT 194.165.17.93:6892 udp
LT 194.165.17.94:6892 udp
LT 194.165.17.95:6892 udp
LT 194.165.17.96:6892 udp
LT 194.165.17.97:6892 udp
LT 194.165.17.98:6892 udp
LT 194.165.17.99:6892 udp
LT 194.165.17.100:6892 udp
LT 194.165.17.101:6892 udp
LT 194.165.17.102:6892 udp
LT 194.165.17.103:6892 udp
LT 194.165.17.104:6892 udp
LT 194.165.17.105:6892 udp
LT 194.165.17.106:6892 udp
LT 194.165.17.107:6892 udp
LT 194.165.17.108:6892 udp
LT 194.165.17.109:6892 udp
LT 194.165.17.110:6892 udp
LT 194.165.17.111:6892 udp
LT 194.165.17.112:6892 udp
LT 194.165.17.113:6892 udp
LT 194.165.17.114:6892 udp
LT 194.165.17.115:6892 udp
LT 194.165.17.116:6892 udp
LT 194.165.17.117:6892 udp
LT 194.165.17.118:6892 udp
LT 194.165.17.119:6892 udp
LT 194.165.17.120:6892 udp
LT 194.165.17.121:6892 udp
LT 194.165.17.122:6892 udp
LT 194.165.17.123:6892 udp
LT 194.165.17.124:6892 udp
LT 194.165.17.125:6892 udp
LT 194.165.17.126:6892 udp
LT 194.165.17.127:6892 udp
LT 194.165.17.128:6892 udp
LT 194.165.17.129:6892 udp
LT 194.165.17.130:6892 udp
LT 194.165.17.131:6892 udp
LT 194.165.17.132:6892 udp
LT 194.165.17.133:6892 udp
LT 194.165.17.134:6892 udp
LT 194.165.17.135:6892 udp
LT 194.165.17.136:6892 udp
LT 194.165.17.137:6892 udp
LT 194.165.17.138:6892 udp
LT 194.165.17.139:6892 udp
LT 194.165.17.140:6892 udp
LT 194.165.17.141:6892 udp
LT 194.165.17.142:6892 udp
LT 194.165.17.143:6892 udp
LT 194.165.17.144:6892 udp
LT 194.165.17.145:6892 udp
LT 194.165.17.146:6892 udp
LT 194.165.17.147:6892 udp
LT 194.165.17.148:6892 udp
LT 194.165.17.149:6892 udp
LT 194.165.17.150:6892 udp
LT 194.165.17.151:6892 udp
LT 194.165.17.152:6892 udp
LT 194.165.17.153:6892 udp
LT 194.165.17.154:6892 udp
LT 194.165.17.155:6892 udp
LT 194.165.17.156:6892 udp
LT 194.165.17.157:6892 udp
LT 194.165.17.158:6892 udp
LT 194.165.17.159:6892 udp
LT 194.165.17.160:6892 udp
LT 194.165.17.161:6892 udp
LT 194.165.17.162:6892 udp
LT 194.165.17.163:6892 udp
LT 194.165.17.164:6892 udp
LT 194.165.17.165:6892 udp
LT 194.165.17.166:6892 udp
LT 194.165.17.167:6892 udp
LT 194.165.17.168:6892 udp
LT 194.165.17.169:6892 udp
LT 194.165.17.170:6892 udp
LT 194.165.17.171:6892 udp
LT 194.165.17.172:6892 udp
LT 194.165.17.173:6892 udp
LT 194.165.17.174:6892 udp
LT 194.165.17.175:6892 udp
LT 194.165.17.176:6892 udp
LT 194.165.17.177:6892 udp
LT 194.165.17.178:6892 udp
LT 194.165.17.179:6892 udp
LT 194.165.17.180:6892 udp
LT 194.165.17.181:6892 udp
LT 194.165.17.182:6892 udp
LT 194.165.17.183:6892 udp
LT 194.165.17.184:6892 udp
LT 194.165.17.185:6892 udp
LT 194.165.17.186:6892 udp
LT 194.165.17.187:6892 udp
LT 194.165.17.188:6892 udp
LT 194.165.17.189:6892 udp
LT 194.165.17.190:6892 udp
LT 194.165.17.191:6892 udp
LT 194.165.17.192:6892 udp
LT 194.165.17.193:6892 udp
LT 194.165.17.194:6892 udp
LT 194.165.17.195:6892 udp
LT 194.165.17.196:6892 udp
LT 194.165.17.197:6892 udp
LT 194.165.17.198:6892 udp
LT 194.165.17.199:6892 udp
LT 194.165.17.200:6892 udp
LT 194.165.17.201:6892 udp
LT 194.165.17.202:6892 udp
LT 194.165.17.203:6892 udp
LT 194.165.17.204:6892 udp
LT 194.165.17.205:6892 udp
LT 194.165.17.206:6892 udp
LT 194.165.17.207:6892 udp
LT 194.165.17.208:6892 udp
LT 194.165.17.209:6892 udp
LT 194.165.17.210:6892 udp
LT 194.165.17.211:6892 udp
LT 194.165.17.212:6892 udp
LT 194.165.17.213:6892 udp
LT 194.165.17.214:6892 udp
LT 194.165.17.215:6892 udp
LT 194.165.17.216:6892 udp
LT 194.165.17.217:6892 udp
LT 194.165.17.218:6892 udp
LT 194.165.17.219:6892 udp
LT 194.165.17.220:6892 udp
LT 194.165.17.221:6892 udp
LT 194.165.17.222:6892 udp
LT 194.165.17.223:6892 udp
LT 194.165.17.224:6892 udp
LT 194.165.17.225:6892 udp
LT 194.165.17.226:6892 udp
LT 194.165.17.227:6892 udp
LT 194.165.17.228:6892 udp
LT 194.165.17.229:6892 udp
LT 194.165.17.230:6892 udp
LT 194.165.17.231:6892 udp
LT 194.165.17.232:6892 udp
LT 194.165.17.233:6892 udp
LT 194.165.17.234:6892 udp
LT 194.165.17.235:6892 udp
LT 194.165.17.236:6892 udp
LT 194.165.17.237:6892 udp
LT 194.165.17.238:6892 udp
LT 194.165.17.239:6892 udp
LT 194.165.17.240:6892 udp
LT 194.165.17.241:6892 udp
LT 194.165.17.242:6892 udp
LT 194.165.17.243:6892 udp
LT 194.165.17.244:6892 udp
LT 194.165.17.245:6892 udp
LT 194.165.17.246:6892 udp
LT 194.165.17.247:6892 udp
LT 194.165.17.248:6892 udp
LT 194.165.17.249:6892 udp
LT 194.165.17.250:6892 udp
LT 194.165.17.251:6892 udp
LT 194.165.17.252:6892 udp
LT 194.165.17.253:6892 udp
LT 194.165.17.254:6892 udp
LT 194.165.17.255:6892 udp
N/A 192.168.0.0:6892 udp
N/A 192.168.0.1:6892 udp
N/A 192.168.0.2:6892 udp
N/A 192.168.0.3:6892 udp
N/A 192.168.0.4:6892 udp
N/A 192.168.0.5:6892 udp
N/A 192.168.0.6:6892 udp
N/A 192.168.0.7:6892 udp
N/A 192.168.0.8:6892 udp
N/A 192.168.0.9:6892 udp
N/A 192.168.0.10:6892 udp
N/A 192.168.0.11:6892 udp
N/A 192.168.0.12:6892 udp
N/A 192.168.0.13:6892 udp
N/A 192.168.0.14:6892 udp
N/A 192.168.0.15:6892 udp
N/A 192.168.0.16:6892 udp
N/A 192.168.0.17:6892 udp
N/A 192.168.0.18:6892 udp
N/A 192.168.0.19:6892 udp
N/A 192.168.0.20:6892 udp
N/A 192.168.0.21:6892 udp
N/A 192.168.0.22:6892 udp
N/A 192.168.0.23:6892 udp
N/A 192.168.0.24:6892 udp
N/A 192.168.0.25:6892 udp
N/A 192.168.0.26:6892 udp
N/A 192.168.0.27:6892 udp
N/A 192.168.0.28:6892 udp
N/A 192.168.0.29:6892 udp
N/A 192.168.0.30:6892 udp
N/A 192.168.0.31:6892 udp
LT 194.165.16.0:6892 udp
LT 194.165.16.1:6892 udp
LT 194.165.16.2:6892 udp
LT 194.165.16.3:6892 udp
LT 194.165.16.4:6892 udp
LT 194.165.16.5:6892 udp
LT 194.165.16.6:6892 udp
LT 194.165.16.7:6892 udp
LT 194.165.16.8:6892 udp
LT 194.165.16.9:6892 udp
LT 194.165.16.10:6892 udp
LT 194.165.16.11:6892 udp
LT 194.165.16.12:6892 udp
LT 194.165.16.13:6892 udp
LT 194.165.16.14:6892 udp
LT 194.165.16.15:6892 udp
LT 194.165.16.16:6892 udp
LT 194.165.16.17:6892 udp
LT 194.165.16.18:6892 udp
LT 194.165.16.19:6892 udp
LT 194.165.16.20:6892 udp
LT 194.165.16.21:6892 udp
LT 194.165.16.22:6892 udp
LT 194.165.16.23:6892 udp
LT 194.165.16.24:6892 udp
LT 194.165.16.25:6892 udp
LT 194.165.16.26:6892 udp
LT 194.165.16.27:6892 udp
LT 194.165.16.28:6892 udp
LT 194.165.16.29:6892 udp
LT 194.165.16.30:6892 udp
LT 194.165.16.31:6892 udp
LT 194.165.16.32:6892 udp
LT 194.165.16.33:6892 udp
LT 194.165.16.34:6892 udp
LT 194.165.16.35:6892 udp
LT 194.165.16.36:6892 udp
LT 194.165.16.37:6892 udp
LT 194.165.16.38:6892 udp
LT 194.165.16.39:6892 udp
LT 194.165.16.40:6892 udp
LT 194.165.16.41:6892 udp
LT 194.165.16.42:6892 udp
LT 194.165.16.43:6892 udp
LT 194.165.16.44:6892 udp
LT 194.165.16.45:6892 udp
LT 194.165.16.46:6892 udp
LT 194.165.16.47:6892 udp
LT 194.165.16.48:6892 udp
LT 194.165.16.49:6892 udp
LT 194.165.16.50:6892 udp
LT 194.165.16.51:6892 udp
LT 194.165.16.52:6892 udp
LT 194.165.16.53:6892 udp
LT 194.165.16.54:6892 udp
LT 194.165.16.55:6892 udp
LT 194.165.16.56:6892 udp
LT 194.165.16.57:6892 udp
LT 194.165.16.58:6892 udp
LT 194.165.16.59:6892 udp
LT 194.165.16.60:6892 udp
LT 194.165.16.61:6892 udp
LT 194.165.16.62:6892 udp
LT 194.165.16.63:6892 udp
LT 194.165.16.64:6892 udp
LT 194.165.16.65:6892 udp
LT 194.165.16.66:6892 udp
LT 194.165.16.67:6892 udp
LT 194.165.16.68:6892 udp
LT 194.165.16.69:6892 udp
LT 194.165.16.70:6892 udp
LT 194.165.16.71:6892 udp
LT 194.165.16.72:6892 udp
LT 194.165.16.73:6892 udp
LT 194.165.16.74:6892 udp
LT 194.165.16.75:6892 udp
LT 194.165.16.76:6892 udp
LT 194.165.16.77:6892 udp
LT 194.165.16.78:6892 udp
LT 194.165.16.79:6892 udp
LT 194.165.16.80:6892 udp
LT 194.165.16.81:6892 udp
LT 194.165.16.82:6892 udp
LT 194.165.16.83:6892 udp
LT 194.165.16.84:6892 udp
LT 194.165.16.85:6892 udp
LT 194.165.16.86:6892 udp
LT 194.165.16.87:6892 udp
LT 194.165.16.88:6892 udp
LT 194.165.16.89:6892 udp
LT 194.165.16.90:6892 udp
LT 194.165.16.91:6892 udp
LT 194.165.16.92:6892 udp
LT 194.165.16.93:6892 udp
LT 194.165.16.94:6892 udp
LT 194.165.16.95:6892 udp
LT 194.165.16.96:6892 udp
LT 194.165.16.97:6892 udp
LT 194.165.16.98:6892 udp
LT 194.165.16.99:6892 udp
LT 194.165.16.100:6892 udp
LT 194.165.16.101:6892 udp
LT 194.165.16.102:6892 udp
LT 194.165.16.103:6892 udp
LT 194.165.16.104:6892 udp
LT 194.165.16.105:6892 udp
LT 194.165.16.106:6892 udp
LT 194.165.16.107:6892 udp
LT 194.165.16.108:6892 udp
LT 194.165.16.109:6892 udp
LT 194.165.16.110:6892 udp
LT 194.165.16.111:6892 udp
LT 194.165.16.112:6892 udp
LT 194.165.16.113:6892 udp
LT 194.165.16.114:6892 udp
LT 194.165.16.115:6892 udp
LT 194.165.16.116:6892 udp
LT 194.165.16.117:6892 udp
LT 194.165.16.118:6892 udp
LT 194.165.16.119:6892 udp
LT 194.165.16.120:6892 udp
LT 194.165.16.121:6892 udp
LT 194.165.16.122:6892 udp
LT 194.165.16.123:6892 udp
LT 194.165.16.124:6892 udp
LT 194.165.16.125:6892 udp
LT 194.165.16.126:6892 udp
LT 194.165.16.127:6892 udp
LT 194.165.16.128:6892 udp
LT 194.165.16.129:6892 udp
LT 194.165.16.130:6892 udp
LT 194.165.16.131:6892 udp
LT 194.165.16.132:6892 udp
LT 194.165.16.133:6892 udp
LT 194.165.16.134:6892 udp
LT 194.165.16.135:6892 udp
LT 194.165.16.136:6892 udp
LT 194.165.16.137:6892 udp
LT 194.165.16.138:6892 udp
LT 194.165.16.139:6892 udp
LT 194.165.16.140:6892 udp
LT 194.165.16.141:6892 udp
LT 194.165.16.142:6892 udp
LT 194.165.16.143:6892 udp
LT 194.165.16.144:6892 udp
LT 194.165.16.145:6892 udp
LT 194.165.16.146:6892 udp
LT 194.165.16.147:6892 udp
LT 194.165.16.148:6892 udp
LT 194.165.16.149:6892 udp
LT 194.165.16.150:6892 udp
LT 194.165.16.151:6892 udp
LT 194.165.16.152:6892 udp
LT 194.165.16.153:6892 udp
LT 194.165.16.154:6892 udp
LT 194.165.16.155:6892 udp
LT 194.165.16.156:6892 udp
LT 194.165.16.157:6892 udp
LT 194.165.16.158:6892 udp
LT 194.165.16.159:6892 udp
LT 194.165.16.160:6892 udp
LT 194.165.16.161:6892 udp
LT 194.165.16.162:6892 udp
LT 194.165.16.163:6892 udp
LT 194.165.16.164:6892 udp
LT 194.165.16.165:6892 udp
LT 194.165.16.166:6892 udp
LT 194.165.16.167:6892 udp
LT 194.165.16.168:6892 udp
LT 194.165.16.169:6892 udp
LT 194.165.16.170:6892 udp
LT 194.165.16.171:6892 udp
LT 194.165.16.172:6892 udp
LT 194.165.16.173:6892 udp
LT 194.165.16.174:6892 udp
LT 194.165.16.175:6892 udp
LT 194.165.16.176:6892 udp
LT 194.165.16.177:6892 udp
LT 194.165.16.178:6892 udp
LT 194.165.16.179:6892 udp
LT 194.165.16.180:6892 udp
LT 194.165.16.181:6892 udp
LT 194.165.16.182:6892 udp
LT 194.165.16.183:6892 udp
LT 194.165.16.184:6892 udp
LT 194.165.16.185:6892 udp
LT 194.165.16.186:6892 udp
LT 194.165.16.187:6892 udp
LT 194.165.16.188:6892 udp
LT 194.165.16.189:6892 udp
LT 194.165.16.190:6892 udp
LT 194.165.16.191:6892 udp
LT 194.165.16.192:6892 udp
LT 194.165.16.193:6892 udp
LT 194.165.16.194:6892 udp
LT 194.165.16.195:6892 udp
LT 194.165.16.196:6892 udp
LT 194.165.16.197:6892 udp
LT 194.165.16.198:6892 udp
LT 194.165.16.199:6892 udp
LT 194.165.16.200:6892 udp
LT 194.165.16.201:6892 udp
LT 194.165.16.202:6892 udp
LT 194.165.16.203:6892 udp
LT 194.165.16.204:6892 udp
LT 194.165.16.205:6892 udp
LT 194.165.16.206:6892 udp
LT 194.165.16.207:6892 udp
LT 194.165.16.208:6892 udp
LT 194.165.16.209:6892 udp
LT 194.165.16.210:6892 udp
LT 194.165.16.211:6892 udp
LT 194.165.16.212:6892 udp
LT 194.165.16.213:6892 udp
LT 194.165.16.214:6892 udp
LT 194.165.16.215:6892 udp
LT 194.165.16.216:6892 udp
LT 194.165.16.217:6892 udp
LT 194.165.16.218:6892 udp
LT 194.165.16.219:6892 udp
LT 194.165.16.220:6892 udp
LT 194.165.16.221:6892 udp
LT 194.165.16.222:6892 udp
LT 194.165.16.223:6892 udp
LT 194.165.16.224:6892 udp
LT 194.165.16.225:6892 udp
LT 194.165.16.226:6892 udp
LT 194.165.16.227:6892 udp
LT 194.165.16.228:6892 udp
LT 194.165.16.229:6892 udp
LT 194.165.16.230:6892 udp
LT 194.165.16.231:6892 udp
LT 194.165.16.232:6892 udp
LT 194.165.16.233:6892 udp
LT 194.165.16.234:6892 udp
LT 194.165.16.235:6892 udp
LT 194.165.16.236:6892 udp
LT 194.165.16.237:6892 udp
LT 194.165.16.238:6892 udp
LT 194.165.16.239:6892 udp
LT 194.165.16.240:6892 udp
LT 194.165.16.241:6892 udp
LT 194.165.16.242:6892 udp
LT 194.165.16.243:6892 udp
LT 194.165.16.244:6892 udp
LT 194.165.16.245:6892 udp
LT 194.165.16.246:6892 udp
LT 194.165.16.247:6892 udp
LT 194.165.16.248:6892 udp
LT 194.165.16.249:6892 udp
LT 194.165.16.250:6892 udp
LT 194.165.16.251:6892 udp
LT 194.165.16.252:6892 udp
LT 194.165.16.253:6892 udp
LT 194.165.16.254:6892 udp
N/A 127.0.0.0:6892 udp
N/A 127.0.0.1:6892 udp
N/A 127.0.0.2:6892 udp
N/A 127.0.0.3:6892 udp
N/A 127.0.0.4:6892 udp
N/A 127.0.0.5:6892 udp
N/A 127.0.0.6:6892 udp
N/A 127.0.0.7:6892 udp
N/A 127.0.0.8:6892 udp
N/A 127.0.0.9:6892 udp
N/A 127.0.0.10:6892 udp
N/A 127.0.0.11:6892 udp
N/A 127.0.0.12:6892 udp
N/A 127.0.0.13:6892 udp
N/A 127.0.0.14:6892 udp
N/A 127.0.0.15:6892 udp
N/A 127.0.0.16:6892 udp
N/A 127.0.0.17:6892 udp
N/A 127.0.0.18:6892 udp
N/A 127.0.0.19:6892 udp
N/A 127.0.0.20:6892 udp
N/A 127.0.0.21:6892 udp
N/A 127.0.0.22:6892 udp
N/A 127.0.0.23:6892 udp
N/A 127.0.0.24:6892 udp
N/A 127.0.0.25:6892 udp
N/A 127.0.0.26:6892 udp
N/A 127.0.0.27:6892 udp
N/A 127.0.0.28:6892 udp
N/A 127.0.0.29:6892 udp
N/A 127.0.0.30:6892 udp
N/A 127.0.0.31:6892 udp
LT 194.165.16.255:6892 udp
LT 194.165.17.0:6892 udp
LT 194.165.17.1:6892 udp
LT 194.165.17.2:6892 udp
LT 194.165.17.3:6892 udp
LT 194.165.17.4:6892 udp
LT 194.165.17.5:6892 udp
LT 194.165.17.6:6892 udp
LT 194.165.17.7:6892 udp
LT 194.165.17.8:6892 udp
LT 194.165.17.9:6892 udp
LT 194.165.17.10:6892 udp
LT 194.165.17.11:6892 udp
LT 194.165.17.12:6892 udp
LT 194.165.17.13:6892 udp
LT 194.165.17.14:6892 udp
LT 194.165.17.15:6892 udp
LT 194.165.17.16:6892 udp
LT 194.165.17.17:6892 udp
LT 194.165.17.18:6892 udp
LT 194.165.17.19:6892 udp
LT 194.165.17.20:6892 udp
LT 194.165.17.21:6892 udp
LT 194.165.17.22:6892 udp
LT 194.165.17.23:6892 udp
LT 194.165.17.24:6892 udp
LT 194.165.17.25:6892 udp
LT 194.165.17.26:6892 udp
LT 194.165.17.27:6892 udp
LT 194.165.17.28:6892 udp
LT 194.165.17.29:6892 udp
LT 194.165.17.30:6892 udp
LT 194.165.17.31:6892 udp
LT 194.165.17.32:6892 udp
LT 194.165.17.33:6892 udp
LT 194.165.17.34:6892 udp
LT 194.165.17.35:6892 udp
LT 194.165.17.36:6892 udp
LT 194.165.17.37:6892 udp
LT 194.165.17.38:6892 udp
LT 194.165.17.39:6892 udp
LT 194.165.17.40:6892 udp
LT 194.165.17.41:6892 udp
LT 194.165.17.42:6892 udp
LT 194.165.17.43:6892 udp
LT 194.165.17.44:6892 udp
LT 194.165.17.45:6892 udp
LT 194.165.17.46:6892 udp
LT 194.165.17.47:6892 udp
LT 194.165.17.48:6892 udp
LT 194.165.17.49:6892 udp
LT 194.165.17.50:6892 udp
LT 194.165.17.51:6892 udp
LT 194.165.17.52:6892 udp
LT 194.165.17.53:6892 udp
LT 194.165.17.54:6892 udp
LT 194.165.17.55:6892 udp
LT 194.165.17.56:6892 udp
LT 194.165.17.57:6892 udp
LT 194.165.17.58:6892 udp
LT 194.165.17.59:6892 udp
LT 194.165.17.60:6892 udp
LT 194.165.17.61:6892 udp
LT 194.165.17.62:6892 udp
LT 194.165.17.63:6892 udp
LT 194.165.17.64:6892 udp
LT 194.165.17.65:6892 udp
LT 194.165.17.66:6892 udp
LT 194.165.17.67:6892 udp
LT 194.165.17.68:6892 udp
LT 194.165.17.69:6892 udp
LT 194.165.17.70:6892 udp
LT 194.165.17.71:6892 udp
LT 194.165.17.72:6892 udp
LT 194.165.17.73:6892 udp
LT 194.165.17.74:6892 udp
LT 194.165.17.75:6892 udp
LT 194.165.17.76:6892 udp
LT 194.165.17.77:6892 udp
LT 194.165.17.78:6892 udp
LT 194.165.17.79:6892 udp
LT 194.165.17.80:6892 udp
LT 194.165.17.81:6892 udp
LT 194.165.17.82:6892 udp
LT 194.165.17.83:6892 udp
LT 194.165.17.84:6892 udp
LT 194.165.17.85:6892 udp
LT 194.165.17.86:6892 udp
LT 194.165.17.87:6892 udp
LT 194.165.17.88:6892 udp
LT 194.165.17.89:6892 udp
LT 194.165.17.90:6892 udp
LT 194.165.17.91:6892 udp
LT 194.165.17.92:6892 udp
LT 194.165.17.93:6892 udp
LT 194.165.17.94:6892 udp
LT 194.165.17.95:6892 udp
LT 194.165.17.96:6892 udp
LT 194.165.17.97:6892 udp
LT 194.165.17.98:6892 udp
LT 194.165.17.99:6892 udp
LT 194.165.17.100:6892 udp
LT 194.165.17.101:6892 udp
LT 194.165.17.102:6892 udp
LT 194.165.17.103:6892 udp
LT 194.165.17.104:6892 udp
LT 194.165.17.105:6892 udp
LT 194.165.17.106:6892 udp
LT 194.165.17.107:6892 udp
LT 194.165.17.108:6892 udp
LT 194.165.17.109:6892 udp
LT 194.165.17.110:6892 udp
LT 194.165.17.111:6892 udp
LT 194.165.17.112:6892 udp
LT 194.165.17.113:6892 udp
LT 194.165.17.114:6892 udp
LT 194.165.17.115:6892 udp
LT 194.165.17.116:6892 udp
LT 194.165.17.117:6892 udp
LT 194.165.17.118:6892 udp
LT 194.165.17.119:6892 udp
LT 194.165.17.120:6892 udp
LT 194.165.17.121:6892 udp
LT 194.165.17.122:6892 udp
LT 194.165.17.123:6892 udp
LT 194.165.17.124:6892 udp
LT 194.165.17.125:6892 udp
LT 194.165.17.126:6892 udp
LT 194.165.17.127:6892 udp
LT 194.165.17.128:6892 udp
LT 194.165.17.129:6892 udp
LT 194.165.17.130:6892 udp
LT 194.165.17.131:6892 udp
LT 194.165.17.132:6892 udp
LT 194.165.17.133:6892 udp
LT 194.165.17.134:6892 udp
LT 194.165.17.135:6892 udp
LT 194.165.17.136:6892 udp
LT 194.165.17.137:6892 udp
LT 194.165.17.138:6892 udp
LT 194.165.17.139:6892 udp
LT 194.165.17.140:6892 udp
LT 194.165.17.141:6892 udp
LT 194.165.17.142:6892 udp
LT 194.165.17.143:6892 udp
LT 194.165.17.144:6892 udp
LT 194.165.17.145:6892 udp
LT 194.165.17.146:6892 udp
LT 194.165.17.147:6892 udp
LT 194.165.17.148:6892 udp
LT 194.165.17.149:6892 udp
LT 194.165.17.150:6892 udp
LT 194.165.17.151:6892 udp
LT 194.165.17.152:6892 udp
LT 194.165.17.153:6892 udp
LT 194.165.17.154:6892 udp
LT 194.165.17.155:6892 udp
LT 194.165.17.156:6892 udp
LT 194.165.17.157:6892 udp
LT 194.165.17.158:6892 udp
LT 194.165.17.159:6892 udp
LT 194.165.17.160:6892 udp
LT 194.165.17.161:6892 udp
LT 194.165.17.162:6892 udp
LT 194.165.17.163:6892 udp
LT 194.165.17.164:6892 udp
LT 194.165.17.165:6892 udp
LT 194.165.17.166:6892 udp
LT 194.165.17.167:6892 udp
LT 194.165.17.168:6892 udp
LT 194.165.17.169:6892 udp
LT 194.165.17.170:6892 udp
LT 194.165.17.171:6892 udp
LT 194.165.17.172:6892 udp
LT 194.165.17.173:6892 udp
LT 194.165.17.174:6892 udp
LT 194.165.17.175:6892 udp
LT 194.165.17.176:6892 udp
LT 194.165.17.177:6892 udp
LT 194.165.17.178:6892 udp
LT 194.165.17.179:6892 udp
LT 194.165.17.180:6892 udp
LT 194.165.17.181:6892 udp
LT 194.165.17.182:6892 udp
LT 194.165.17.183:6892 udp
LT 194.165.17.184:6892 udp
LT 194.165.17.185:6892 udp
LT 194.165.17.186:6892 udp
LT 194.165.17.187:6892 udp
LT 194.165.17.188:6892 udp
LT 194.165.17.189:6892 udp
LT 194.165.17.190:6892 udp
LT 194.165.17.191:6892 udp
LT 194.165.17.192:6892 udp
LT 194.165.17.193:6892 udp
LT 194.165.17.194:6892 udp
LT 194.165.17.195:6892 udp
LT 194.165.17.196:6892 udp
LT 194.165.17.197:6892 udp
LT 194.165.17.198:6892 udp
LT 194.165.17.199:6892 udp
LT 194.165.17.200:6892 udp
LT 194.165.17.201:6892 udp
LT 194.165.17.202:6892 udp
LT 194.165.17.203:6892 udp
LT 194.165.17.204:6892 udp
LT 194.165.17.205:6892 udp
LT 194.165.17.206:6892 udp
LT 194.165.17.207:6892 udp
LT 194.165.17.208:6892 udp
LT 194.165.17.209:6892 udp
LT 194.165.17.210:6892 udp
LT 194.165.17.211:6892 udp
LT 194.165.17.212:6892 udp
LT 194.165.17.213:6892 udp
LT 194.165.17.214:6892 udp
LT 194.165.17.215:6892 udp
LT 194.165.17.216:6892 udp
LT 194.165.17.217:6892 udp
LT 194.165.17.218:6892 udp
LT 194.165.17.219:6892 udp
LT 194.165.17.220:6892 udp
LT 194.165.17.221:6892 udp
LT 194.165.17.222:6892 udp
LT 194.165.17.223:6892 udp
LT 194.165.17.224:6892 udp
LT 194.165.17.225:6892 udp
LT 194.165.17.226:6892 udp
LT 194.165.17.227:6892 udp
LT 194.165.17.228:6892 udp
LT 194.165.17.229:6892 udp
LT 194.165.17.230:6892 udp
LT 194.165.17.231:6892 udp
LT 194.165.17.232:6892 udp
LT 194.165.17.233:6892 udp
LT 194.165.17.234:6892 udp
LT 194.165.17.235:6892 udp
LT 194.165.17.236:6892 udp
LT 194.165.17.237:6892 udp
LT 194.165.17.238:6892 udp
LT 194.165.17.239:6892 udp
LT 194.165.17.240:6892 udp
LT 194.165.17.241:6892 udp
LT 194.165.17.242:6892 udp
LT 194.165.17.243:6892 udp
LT 194.165.17.244:6892 udp
LT 194.165.17.245:6892 udp
LT 194.165.17.246:6892 udp
LT 194.165.17.247:6892 udp
LT 194.165.17.248:6892 udp
LT 194.165.17.249:6892 udp
LT 194.165.17.250:6892 udp
LT 194.165.17.251:6892 udp
LT 194.165.17.252:6892 udp
LT 194.165.17.253:6892 udp
LT 194.165.17.254:6892 udp
LT 194.165.17.255:6892 udp
US 8.8.8.8:53 ftoxmpdipwobp4qy.ewfp5y.bid udp
US 8.8.8.8:53 btc.blockr.io udp
US 8.8.8.8:53 api.blockcypher.com udp
US 172.67.17.223:80 api.blockcypher.com tcp
US 8.8.8.8:53 chain.so udp
US 104.22.64.108:443 chain.so tcp

Files

memory/2140-10-0x0000000000500000-0x000000000052E000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsy16FB.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

memory/2960-12-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2140-15-0x0000000000500000-0x000000000052E000-memory.dmp

memory/2960-16-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2960-14-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2960-21-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2960-22-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2960-25-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2960-26-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\Downloads\_README_.hta

MD5 1896455e8e7d46caa2d44949629cef4f
SHA1 898edb7b319e7c4789e9f706136a1560210c4388
SHA256 4ceb7ff65ce2cab4c0795e8c6698df909d5ba72564673f38fb8ba5bf4846241a
SHA512 9f4afc04c4ef3817877d445f402e8ebcaf610c4dcaaefb53607922a0a689f0898dfa69d38c250ae14eb580441f3d8a8eaed2a66045514871292c5d81bc996be1

memory/2960-289-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2960-291-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2960-297-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2960-309-0x0000000000400000-0x0000000000432000-memory.dmp