Analysis Overview
SHA256
e66c9959bcc4ab913b89e9dabe392b785616f1b5f2039a5757f0dc5d30e76690
Threat Level: Known bad
The file b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Cerber
Deletes shadow copies
Contacts a large (517) amount of remote hosts
Blocklisted process makes network request
Executes dropped EXE
Reads user/profile data of web browsers
Deletes itself
Loads dropped DLL
Suspicious use of SetThreadContext
Sets desktop wallpaper using registry
Drops file in Program Files directory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Program crash
Unsigned PE
Kills process with taskkill
Suspicious use of SendNotifyMessage
Uses Volume Shadow Copy service COM API
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-16 23:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\de.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffcaab46f8,0x7fffcaab4708,0x7fffcaab4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3000146987234737734,3334080110074420644,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,3000146987234737734,3334080110074420644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,3000146987234737734,3334080110074420644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3000146987234737734,3334080110074420644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3000146987234737734,3334080110074420644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3000146987234737734,3334080110074420644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3000146987234737734,3334080110074420644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3000146987234737734,3334080110074420644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3000146987234737734,3334080110074420644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3000146987234737734,3334080110074420644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3000146987234737734,3334080110074420644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3000146987234737734,3334080110074420644,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5452 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.generaltracking.de | udp |
| DE | 193.238.60.83:445 | www.generaltracking.de | tcp |
| US | 8.8.8.8:53 | www.googletagservices.com | udp |
| DE | 142.250.185.130:80 | www.googletagservices.com | tcp |
| DE | 142.250.185.130:443 | www.googletagservices.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| DE | 142.250.186.130:443 | securepubads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | www.generaltracking.de | udp |
| DE | 193.238.60.83:139 | www.generaltracking.de | tcp |
| US | 8.8.8.8:53 | 130.185.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.186.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 2.17.107.121:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.107.17.2.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 142.250.181.232:445 | www.googletagmanager.com | tcp |
| DE | 142.250.181.232:139 | www.googletagmanager.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b4a74bc775caf3de7fc9cde3c30ce482 |
| SHA1 | c6ed3161390e5493f71182a6cb98d51c9063775d |
| SHA256 | dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280 |
| SHA512 | 55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f |
\??\pipe\LOCAL\crashpad_2824_WBGMNRSYJGHMOLJH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c5abc082d9d9307e797b7e89a2f755f4 |
| SHA1 | 54c442690a8727f1d3453b6452198d3ec4ec13df |
| SHA256 | a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716 |
| SHA512 | ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b2994caa0eb5948a4bf23027218a25fa |
| SHA1 | 37756b10d0a0b0a4e52d06c5f04fe088b90c0e22 |
| SHA256 | e58e360400f2c003aa132bea9554a0cad5903f5c4149b9925ecf506d349dfece |
| SHA512 | 9b30cf7d99887c6acfad90f3ca4333dbe3b04bfa6cbc18b846de48bf143b13235be13418cee1ae99ab3d76de08774862dca820f8c81c9a0bc57757d370027036 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 17e391db914f343bba46e561e30123f7 |
| SHA1 | 5008a3ced2db7eb66be9b5a13e59100bdc1d41c7 |
| SHA256 | ea960f86e55c8468fff35c8448075617a33e403682fcdf5a83481523c904aa98 |
| SHA512 | 350022c77d761c12ada253dee91221279eb5ad673b31bf80569d50b0bcd9d38680d6af75c548d6dc7d53875d54b3bfd24408fb296bffd3c342d298f38afd03d5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a80dba49a59baf8b38ad488e505e7baa |
| SHA1 | f4182504cef54bcc3b46576fbca6178f10cbcad3 |
| SHA256 | 5775ed2212e27f3128acb5975fc0e4d5f5b2cc8f8dcb841d035522fd8a83a2ee |
| SHA512 | e58355bed7880f4856d9a43e0cb09d4671f2e89f5789a4deef51b94ed22c7330d1b7cd3482443ccd5e97f8e89bf13ab898059b2056195fd119e6ccc8d530507b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 11fe608cff45edbca0b9509680f101b5 |
| SHA1 | 1f0fc27afc22486303d403a56ad1a8d2561f4c98 |
| SHA256 | bfa8e5c32a3285320220ea8bcea1abb5f1c574ecb2063200ae7349ee562458da |
| SHA512 | 0cfe5e82eb727347d17a93a46bcdd96e4d383ad620be5fe1cf8611b46aea0518944680526237c26aa60301cb4256fadaa2da3e0d4ded30c3549407d94ba9783e |
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win7-20240508-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery.meanmenu.js
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win10v2004-20240611-en
Max time kernel
91s
Max time network
99s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FancyZoom.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BE | 88.221.83.203:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win7-20240611-en
Max time kernel
119s
Max time network
130s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7029298642c0da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0E06701-2C35-11EF-A01D-D62A3499FE36} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000bc97c594a913dfd13ee5c3cb0fbe90b0fc0fb6edd9f0b2f1a6ed5bbdfcd4e71e000000000e8000000002000020000000020ba4521195df74e48b36ac434f77548116d0f69724933f76e91831c274ee3b900000008b48ec9404e84dcbff50ac7862e7ffae1c75f77f60178c45aa8f8a728820389940673f5b8ee7dd41dd5f73a5fbc237b30d20246fbaa8fc1b0dd54e6766e1c6946ee0581c1dcea4b40b94656d9b1b5c27cfbc9131152fee2c41a6d54976d423f78d908aa7fb08995c47f43cf32a1506185cf1582f90a08a79d68687fe0b84afa64231a360d954591c9d425488b440ef40400000001d4f2661278819afda4c1de3436f92ad37285658321a73823525c01a7d006519f5d3a132f4cfb2caaf96503accb6411f9da14f1324affaab9de7bcf39f179a07 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000363c0a1e694d672bf284835a2481beb9ad1516ebeddfd23de32954b306ce3d25000000000e80000000020000200000002056663ac5658a1a67ef5a7dec56da3ce3f98636dc98cdbf8c9dadaf8311a5ee20000000166a5f31943a1143fd46aff3268a8f2d179697470a147d3e4b2500c92999ad49400000007367ea1d97f811b80af714eaae814ba838d8a44c179758760ae036900a2ba890a0d72f012a6b2c710667a94fe4be763efea9b5553ae103500c2dd8b20902c157 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424741326" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3052 wrote to memory of 2384 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3052 wrote to memory of 2384 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3052 wrote to memory of 2384 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3052 wrote to memory of 2384 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\about.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.ks.net | udp |
| US | 8.8.8.8:53 | maps.googleapis.com | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| DE | 142.250.185.74:80 | maps.googleapis.com | tcp |
| US | 104.18.10.207:443 | maxcdn.bootstrapcdn.com | tcp |
| US | 104.18.10.207:443 | maxcdn.bootstrapcdn.com | tcp |
| DE | 142.250.185.74:80 | maps.googleapis.com | tcp |
| DE | 142.250.185.106:443 | maps.googleapis.com | tcp |
| DE | 142.250.185.106:443 | maps.googleapis.com | tcp |
| US | 205.166.61.221:80 | www.ks.net | tcp |
| US | 205.166.61.221:80 | www.ks.net | tcp |
| US | 205.166.61.221:80 | www.ks.net | tcp |
| US | 205.166.61.221:80 | www.ks.net | tcp |
| US | 205.166.61.221:80 | www.ks.net | tcp |
| US | 205.166.61.221:80 | www.ks.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| DE | 172.217.18.3:80 | c.pki.goog | tcp |
| US | 205.166.61.221:80 | www.ks.net | tcp |
| DE | 172.217.18.3:80 | c.pki.goog | tcp |
| US | 205.166.61.221:80 | www.ks.net | tcp |
| US | 205.166.61.221:80 | www.ks.net | tcp |
| US | 205.166.61.221:80 | www.ks.net | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| DE | 172.217.18.3:80 | o.pki.goog | tcp |
| DE | 172.217.18.3:80 | o.pki.goog | tcp |
| US | 205.166.61.221:80 | www.ks.net | tcp |
| US | 205.166.61.221:80 | www.ks.net | tcp |
| US | 205.166.61.221:80 | www.ks.net | tcp |
| US | 205.166.61.221:80 | www.ks.net | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FY3LN490\style.min[1].htm
| MD5 | dede4ec30d1972186265657eb1138dc5 |
| SHA1 | 443f187a4646bb1c21c0ca055d2f10b8cbba1c21 |
| SHA256 | 3df3234060054457332eff9e4347c06aec1bddd87bf11e4e5709a1ac78303c1c |
| SHA512 | 429c0112c00b8278a1de0d2dc4b07f18e314a4e24d4fdba93dddee41eaea8ccdd6efb5987dc0783bd3d93fc94b7fd3b2a62b8a2454d324f98071b77c95fcac99 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 955482e3e3a0863f15e21c113cb8db00 |
| SHA1 | e1072872f48e368788f82521aaa1bcdcdf8af820 |
| SHA256 | 0e61dd67fe56072a2af7fb58fa02b135972864099680c80a30152652220d3e29 |
| SHA512 | 964e34291f1759efcb31cd7000ceded1c1aed3d816fc3d12760c5e8763344c7cee29cca0d8bb990a79df3ba9eac89980cb41ddaa82aa7be415c8853a252aed12 |
C:\Users\Admin\AppData\Local\Temp\Cab2EEE.tmp
| MD5 | 2d3dcf90f6c99f47e7593ea250c9e749 |
| SHA1 | 51be82be4a272669983313565b4940d4b1385237 |
| SHA256 | 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4 |
| SHA512 | 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5 |
C:\Users\Admin\AppData\Local\Temp\Tar2FA0.tmp
| MD5 | 7186ad693b8ad9444401bd9bcd2217c2 |
| SHA1 | 5c28ca10a650f6026b0df4737078fa4197f3bac1 |
| SHA256 | 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed |
| SHA512 | 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a0f3abde25ee78078b6385025934a4e0 |
| SHA1 | 63c59bf1a8f132714533006dcf8ad2944339a439 |
| SHA256 | 44cf29b9e638f031ceab54c078396b40db56130fb0f24f90c35d823f30f62c2b |
| SHA512 | 1ff22eca32d8aff2c8d2a4c795ed08110dcb9d515414e9f7062f2db5fbc76b04ea46f06384144b9f8a89b6f887487a369632610b4492a2ab659fc9764c488358 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f9221b3672f0834f80e4ca04813f343c |
| SHA1 | 706429aa12428791daa91c4a1df592e9f1d65bea |
| SHA256 | d87b4960d084e829123587074f9de282567cc93daddbbedbc450e26e3229d77a |
| SHA512 | 9206065618d216a99a000029d24f96c3e02d831763d713f6f78359fde5f8154756bd5b3fd8ecb7667aa3abb2a3683ec050704dd13b8aaeb74ea7cb09650a5254 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 01a3e91af4bc20498eef8e4ed0df7e12 |
| SHA1 | bec5bb21762268dbd0b3655b1da7c4505ddfdb0c |
| SHA256 | 857b2c53781b4d766b34cc550f3d8e48be9a686129725ddbbd9fd370ffa323ce |
| SHA512 | c7f42917bb8724b2b2f7992d23f993bcc2a4c294f4d155e2f6dbadb3bb9f033db37d8826c9582eb24251d7b6a93b0b336e6fecd636f3f0994c64c9ee2106a540 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b5ac3f215ecf3510345c74c096921e24 |
| SHA1 | 9ec682b1e6114d37fc74ce2f7c420c6e71034048 |
| SHA256 | 6f58ed8870a6dd3d057ad85351c0871a21eddc524478e5631f33ddf3bd42d3be |
| SHA512 | fee69ec433dcfd09744cac59b106f37f15e912f6b19039b8bcc175ec37fdebcec2545826fbe4e79c4cc4f9727073b571ee236a66f3ad40932ed8fc2ad714af23 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d6b038e27364b133712826cccb10782 |
| SHA1 | 1098380afb1ddf7bc8f25b93e8fb92a95cb1408e |
| SHA256 | 5e4e165a0c1128c6e51ecbb403c79049146825e7f961af19752f3104bf423a53 |
| SHA512 | 2e09432fe472b8e4873e701c422dbbe74decc15190409099fe22075e7ee9f6d1965504e722d1446a71f68e3fdb68bf8305fd073c32d0228dcd202100010e2f43 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 259fea784694cebe40049951027a37d5 |
| SHA1 | cb4d9f5f262716738095c776c6328d3354222a1e |
| SHA256 | fbb2fb785e5945e7e87cfd37584f51f369fa31d70522f8ddd46fbde7c239aede |
| SHA512 | 97e292fdaf2a8bf8dde309eba12d3a14df99cd51ed0466d36efabd116af3984a7004d93532753a101f7e44eac515bbf6efcca8b9e10c3b5b7e3c2cb91e23029b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 711dd66f4e28f5bdfe84608a2eaf36b1 |
| SHA1 | e2836b2e7980b8d42b959198215c5318e9936ef1 |
| SHA256 | 7760c3461ea6e29e46ab0a2e77264a797b2f780595aa8000d2ba9fd01b483100 |
| SHA512 | 32704f12eec0eef7dafb72152cc7cf6235a07a8cf04e45f73c3cf8a162b51739ec73473715ad6c4f8eeedf9de6ec03ef84df09fea8f0e1dfa5fd5a1154df7cdd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1f828b97cfa8db896f4e1fc99f1f2f95 |
| SHA1 | e3beb0cfccbaee98d15bd1ade94281568cdb99c6 |
| SHA256 | 3bd29ec6d36dc00c9c610f616ea42d55da7249ddae5bd152b90a743085cee973 |
| SHA512 | a135c838ab892e7e57b926b00e38815fec95d9b7788b22543a73efae7276b004a6f354c3f0cd55664e06d8c9080a1520365d5b1563abe1a2491418b764503667 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a6d0ad4ba4d733d04ad676adf76cf721 |
| SHA1 | c30ad83333b85d1e0f114ade1843e5291e699579 |
| SHA256 | baf32e5a6b60c0b5301f036f93b5b7c6a7cfd616a192db01edbf14fb2062db64 |
| SHA512 | d5e77a8c4f7ad5bcfe49de3b34f21583fc3890fd115c87f62d4e66716e33242e0acf85dd904489dc3eafcf9b0a9a84c3945450ea53a747bb1960bdb709036e2c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a6bb98779dc679aebf8105138be31c90 |
| SHA1 | 44ff562110d756811ad1dffff737a9ba339f00c1 |
| SHA256 | 7ca0291cbdfc4d9a5c130087f5fe7ec33520885c4c45b167e80b427fcfb4a422 |
| SHA512 | 63db50620a91c916bda686caf02b670b7eb2566a02219ca1ccab190c69ad40136594e303a985852d773a1b8a462e3de865148cc96f1436769a340d7c0684e327 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 63332b1ca820d4fd6528085967a698dd |
| SHA1 | 92ce491dac078097a599c80c8b8e9ae6bc19316e |
| SHA256 | 197bd7675af3f43b31aa5cf784a3925302b77b74be1db00cad7cfd8c878a93bf |
| SHA512 | c1516d9e33f61cc71586128170fe717e38534af43f180adab55e562bfa62cd0412781194ec0e26e8c16c5d3c054f7a4777a76bea5620e34899ca34f612bbc25c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1dd54fcb075d1c0147e899498c4b2a28 |
| SHA1 | f7c29196cefd1b75d9be5aca69ccd94f3b7cf5ca |
| SHA256 | 5030da35c569b2111bb30422c048aa7a66ac776b0a9589b1a0fa8c9bf55582c0 |
| SHA512 | ce383dca0a9721de59d8c83ab26f632571ecf5a1932fe6a8e593910ba7178ca60316f38d15b67d41fa3e9ec923da2a5c016ca0ff1da4ffac4c040fbf45c875d8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9d8f837fc80334868e61caa672164913 |
| SHA1 | 72efbb1b80e52b1b9d4749ae8c2c40d3f52a66db |
| SHA256 | a8ea87fc2788b6abb487432537e146a07c485db1f39bba7f658c536c3fc8ad60 |
| SHA512 | 891693b2d85282169364b9fa3b78e87db87decf300a0585990029129138e5ebc0dc2a2e3b712d1e185a6fc2c5a23579da6d125e70f6cec46af2d54c11c10487d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c9bc62ef91c811a16f6dabf94bc651d9 |
| SHA1 | c8025e2d573adc213ad75c7db0b4a16ac5fe4d13 |
| SHA256 | f921e789575271a436c5a74fdbec75de7c313f2dff90b110fa1f45e8f9ecdf1b |
| SHA512 | b599403ee32b277357a4c1865bcdf7079bea85df53ca5d3a933b771958ed12de1b7e1ea4e0337cc35112f463ae82baa072bb8cb33cc9bd741ac505424bcdfb0c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c233caa99ca456cf31387748c62085f |
| SHA1 | 94cb9fb3adf4063a698a079b5a6dbd2bcb925fe2 |
| SHA256 | aa56dc6616aaacf2e09de8a66747a12e50b94f437eb8b5453b27189be9a1fe33 |
| SHA512 | 2bde2604dfd77ef2ce62959302797f7e34bdbabea2a2d666f251267b5f15d45f2d48cfdbdcedb84aacc3c59131fe3481004e2138de3efc1ec248b5d45eeb54ab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 968992ace304bdce053d880636fc8c95 |
| SHA1 | f1a54735cecc7a029908e7179a00d9e6c3360c2e |
| SHA256 | b8405ab41941e9d2e3053fb398a5af83faccd5e4d24efab1d5b260cf164a27a4 |
| SHA512 | 738c16d9c993a49a818f65e25b619dc652a9b84c4901d2ef57a7d368f90155718f57d227774b00f985cfeb2b9706cf6ba04845641066d7291e9fee687cf527e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 52b68b67bd4b6098fc1e604528ba97e5 |
| SHA1 | a6a1eb1ac42c5fc4e420d040389b057f6778adcd |
| SHA256 | 22ec571cba68169b8484862c8623f01003e04755bf9a271323a32543a9ff4ade |
| SHA512 | 488e0ea054094fee388be64c436efcdd73a76af2cc53b18d8c046128d7c64d9782558c2a4be8e64dc9cc422d4c29a2f124c34eb6b5a3ad959b5ba9ff40ea7b74 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 491e6ed23ce59fe34e290c2dec022ec2 |
| SHA1 | 7e6be3e195171086815956489ad18016d151fc67 |
| SHA256 | c50f63dcbd3b7c5576c86a86fa285597085cfec094b7e6b9911577c6a3ecb935 |
| SHA512 | 5da5010b099f6568d93ac50594e9796fd899a4f3bac30c50d6e007f1b04f4043116650064265e5be4d35ad2f3a02174b1771c237d2ae5bc2ada2cf344a7d36b4 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win7-20240508-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000b9968949b6beee60cb944113ee848cc2f5ea0684839cbd0754a5b8b79f7c51c6000000000e8000000002000020000000c9415962fc604cd7918e9ce9d83bf39280fa8e8cf00a44ec55e28cb3e27db694900000003e126f902ec004ed5eb7b4db6b580f724b5dcbe024bd840175e6cc492a944173434479091c6cd649bfae9c773f59573338e767a518d26c392f063183c4c84ebea5c952000130e97ab5480b9ed23ae43c162ff0a9c69fec50ffab84ec12dd78e17f6f558a908b89d01acbcb6725c0c83c0f19324ccf6c813d0926cbfaaa1968a2914001e2d2bdf4f16b15e046ffdebd3f40000000798c6a2a252758e377ff29ff4c21442dbc3333fc644c0cad972315fbdbf4c2b6b37a119b4db5c86fc9bf06039278abd57871c630d3f55597efac61ccf74317da | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424741350" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000003f91b986b2dc2458f7119a2aa70ddb1a13d38700c3a60e0941441bc4ee528fc3000000000e8000000002000020000000f8ec4faa88eda4d3bee2298be1727ce1aaae5aea52de7135203da9cdc9eb3fd52000000023375904a2cab395d5694ad01815dab2b7a16bbf011f3f4736fb2aeeab8f0f7240000000742244b19d6eb45ed5492386e0f9258124430c1c57965e2b03187fa55b86159569714e8797dd7a059ce19933c44dc65a1a85c1bfea5dcd81fcd5b4720b164b75 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a05bef9442c0da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B20B5271-2C35-11EF-B27B-DA219DA76A91} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1900 wrote to memory of 2644 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1900 wrote to memory of 2644 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1900 wrote to memory of 2644 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1900 wrote to memory of 2644 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\de.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.googletagservices.com | udp |
| US | 8.8.8.8:53 | www.googletagservices.com | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
128s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\about.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbd5146f8,0x7ffdbd514708,0x7ffdbd514718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,12603154513437583025,12157194585798624279,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,12603154513437583025,12157194585798624279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,12603154513437583025,12157194585798624279,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12603154513437583025,12157194585798624279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12603154513437583025,12157194585798624279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,12603154513437583025,12157194585798624279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,12603154513437583025,12157194585798624279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12603154513437583025,12157194585798624279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12603154513437583025,12157194585798624279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12603154513437583025,12157194585798624279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12603154513437583025,12157194585798624279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,12603154513437583025,12157194585798624279,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3224 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | maps.googleapis.com | udp |
| US | 8.8.8.8:53 | www.ks.net | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | www.ks.net | udp |
| US | 8.8.8.8:53 | www.ks.net | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4158365912175436289496136e7912c2 |
| SHA1 | 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59 |
| SHA256 | 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1 |
| SHA512 | 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b |
\??\pipe\LOCAL\crashpad_1060_AANOUYZGHUFDXQNX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ce4c898f8fc7601e2fbc252fdadb5115 |
| SHA1 | 01bf06badc5da353e539c7c07527d30dccc55a91 |
| SHA256 | bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa |
| SHA512 | 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cff92d1efbdc4a925df37be1d70091f4 |
| SHA1 | 0183c1717aab8f36435e9a1b681612cf814f029f |
| SHA256 | 374e4ea2f887cff21c52c7d437d81d71059439881e1b9be04abdab22bce9aadf |
| SHA512 | fe324c99db3f536eadb0b8445d405d3dfd824f37730c30d86a263ba08a82b5dafd4cd1019625661dd012e27c1ea787f3e9ceae6e2fac1d8bdbdce2551ff3add4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2b3ca796b3595790dceec9a7123023b3 |
| SHA1 | ec7ad4472a7fb9108fbd9f36a0a2eb538fe562c6 |
| SHA256 | e9bf7b5d43bd8e23f656d88cea6e93340010a519a0c8310a4711e782b454f4ee |
| SHA512 | 616db51540af6f66fd645b2ee6627e2c85f6ce69eae2ac0a307fef72fc2b29d3939dd9f55785736a6eddd14c1eab9988c991bbd13ff52ad4ec543abcb02c22d8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 93af51ae242cf8d9b0d6a7ad5b5ddfb5 |
| SHA1 | 35492d95b0e1b3dcf52b0ea7c597911087920251 |
| SHA256 | aee839ee5543d19de2a2f44d3c45e9cc9c185652309b6782b69202a18b997106 |
| SHA512 | b1e4e4f92e284dc55b49b2afb782cf5f6e2f5664912f25dc2dc3f54dec6ce29caf9417ec47a5c7ad51eb6e13facfc3f9385cf8780ce4a63ee045ccb625ec944d |
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win7-20240220-en
Max time kernel
120s
Max time network
130s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eab426efecd791449ec9acde068c146d00000000020000000000106600000001000020000000b4996726c33aa48e5bd88d73bd3c2472ec3da6a749282569ebb01e82effaae22000000000e8000000002000020000000cf00c1ad8d7d0e3cf0bef3b7bd4bd0da31681884524c55edf78b5ee27dd7bdc8900000007a4fbb8687fc230798d242436e02877131d8f6dead82d215b30b4ba643269bc69b904f77e93b58817847f0f0616d59c7d2313972efeb551d75faf6d2d2ffa6ea294faa4021204b46ca22f4caa4ab8615a8b72df4a5ddfdcc3f6f6d841ed3ce45518671e5ddc23976b5e20c173f2c621d89c6c20dbd7d13d7b16f93036674c62bb6af828b38ca7ffa4805cd694bf1a08b40000000b563f1a869c3a6646f6824bee3d942028b6eb9cdf2858c9e648b82b06e139b02045c9251bc68d6d8260c0142d9a42a7e02934829676b42bc92c4cee66403b30f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424741326" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0DED891-2C35-11EF-BF93-66356D7B1278} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a043478742c0da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eab426efecd791449ec9acde068c146d0000000002000000000010660000000100002000000047402d2c40ba5939654024f7c2ff7db7c178f73b55408c07d477e30be8066785000000000e8000000002000020000000eafab5dbf6d51c5ce977b0cec4629e6bddec042f53f795f5cb576f55d5624ad820000000b554f268fc189cced0f059c4dd4e3b21a51bc9aefef806d7e3848f0c9b32dc4340000000d96597ba5e1f0df262e45c17ca0ab15fc34a0cf0a188f140f5f417b9d74e44561d4e4ebc23acadeec118d003bb35baddc1fd002c0c89110849fe6f2047640b5c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2972 wrote to memory of 2568 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2972 wrote to memory of 2568 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2972 wrote to memory of 2568 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2972 wrote to memory of 2568 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\blogid=321536463764.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2972 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.coe.org | udp |
| US | 38.106.217.98:80 | www.coe.org | tcp |
| US | 38.106.217.98:80 | www.coe.org | tcp |
| US | 38.106.217.98:80 | www.coe.org | tcp |
| US | 38.106.217.98:80 | www.coe.org | tcp |
| US | 38.106.217.98:80 | www.coe.org | tcp |
| US | 38.106.217.98:80 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:80 | www.coe.org | tcp |
| US | 38.106.217.98:80 | www.coe.org | tcp |
| US | 38.106.217.98:80 | www.coe.org | tcp |
| DE | 172.217.16.142:80 | www.google-analytics.com | tcp |
| DE | 172.217.16.142:80 | www.google-analytics.com | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab39D8.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar3AC9.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d46230aa13e172dec963f714266c2ae2 |
| SHA1 | ecbc6a49513450a2c4505407947fc4aacf6d8a43 |
| SHA256 | 1d7a48a3102c8756a1213d35dc90f0aedd1768baec5def349fe0267d5f254f73 |
| SHA512 | 267832ee591660d310d0ebddb03791c325dd4cfc61101089e99f141f420cc8becc92745966f530251632ef72bfb9b611d4ee0ea0f3bf1d845b550a5f1f76dc0a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 671762f7bbf191212c5cb83acf331398 |
| SHA1 | de43617e81a7bea697d4165107936c380c45aafb |
| SHA256 | 61c0f0621c6a4d9b6fe75e477d8744d24093bdccfd20aae8ba06508da7042ed1 |
| SHA512 | eceedbbf83bade39cef3bb8dfe6b18ad1421bc717a4290cdc05158e4812fdf234495fa71a108df70f223c739503c9554e367693a0819d8617a5a9844ac14038e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fe446cc7830f45222c54af5de22c06c6 |
| SHA1 | 32854a9b6bd52f9951a5c41d0d21bafe2d2b30a3 |
| SHA256 | bbdcc32828221fc7e5edb6fc52aa4f553bb5e6cae900c3ed8f34fa41e7ff74d3 |
| SHA512 | c303b5367b9be49b535f6e545cfae75910431cfbd76f6946152b7235c53bbc02c88347e8dbc93851525e9a7601c156618b92b971c11009afa0c9bc294abec7bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb39629f9e5c848011863b2b0161b6fa |
| SHA1 | d162f2b96d681796e878ecece4a1ce23da0dab67 |
| SHA256 | 9c13fdda0eec7d7a01448e6b67160e7457a18dfc9175c5f6e4f651d17b6a59a0 |
| SHA512 | 66f00b5feda419ecc46342dd1c2e303803d110945068552958c7b28c931d4684dcdd47a5eaeb51bd85fa818c465cac9d54e14746c137288d5db0d8d9c22e8b47 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 70958d22cc76f9e3d352abfb3f713811 |
| SHA1 | e465a475908e6e8505fc5b7628172f063a8a60c0 |
| SHA256 | 541502ab166307f9b477fb2f4ac61058b513f37fb44b9a9abeab30887c57178d |
| SHA512 | 7c30d54d7f0027b762fb10e36fc34179542c745808e4d60e86653c7ad252842478a3107ec673e037be38ce39b7b622d8278b2455582f909451ea142c0e3a0016 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 26cfc6c7c9b0a653a1ff4aa6b53fb9f7 |
| SHA1 | f1ee548f8d4173c9037fa06b85792b0517c3ebc1 |
| SHA256 | 1658adb88897931d5b2c099ea83931f6e0f0617a8409ea04673d877ac0dfe1f7 |
| SHA512 | d653bbc3257470b280c545fd8cb84a79edfe6b00bcff56e970a8a8be133f98c702b5145f9a7dbaab296e09bd06ca12857544ea385f3c4cd1b12405e7e5560b96 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 79ff7c2dd3b90d2bdbb34d94f8781b15 |
| SHA1 | cba73c466f0e7a2298cd41f02d7ed496f2211535 |
| SHA256 | 38a0def1adba5b2fbe2baf3cd2254cb271ea57e95e519ca21958bfb7da3e6a47 |
| SHA512 | 9d87c257521a610e69b6c253106f61cbe1c05d00911147992ff7fac2de5292ea65f16f9f089c6575cb3a524fa4122c769588d57a7b99bceca15c3a5045b36263 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 59b8b431918f3e9d28b31f881d47eba1 |
| SHA1 | c216c87efe2f6060a553978b45e7fed08f57fc36 |
| SHA256 | e8ac46d5875902c6d84c24fd9844d43cc8c7ee66f85b819979ae37bd1c34ef00 |
| SHA512 | 458a64b37c36ad2145ee0908a36eb1bcfa8067a1451c5408bad6fcad36695d7f7aeb81e74952d1d8406140cfb58649d46ea8cbbbcae61aeff9539d4f427361c5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6ba0fe0d1db57914ad76e4e2f00c99cb |
| SHA1 | a0f1516afca62b558b7c531202316650c7cbaae1 |
| SHA256 | 02034db17e74bdba66072c4bfe20c46672961683098d9a2985386953e0fa462a |
| SHA512 | 320ae5e4bbafe091015a6332924152a024d8c9053780189eb03570d911543e1c7e5acb5c9932169fe686101d2021a04540522d07dd91eb6c26d407e608a20041 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f6c81a87d75d9211f8055082a0d7ed85 |
| SHA1 | 3d3336ac7e1bc545f7b3ce5e0c1e8aba02a72cef |
| SHA256 | b8fa8272c4cb007ecd99c8f70cae9c6431317667f1e8bd8e9167d3c2bc702144 |
| SHA512 | 2530bcb9f6c3d84dcf1e4037c02fb5ff4ba8942152f55d8e8027cc5035be7478ea411a05ef601ec8b8e0e275dd5dbaeecc9888d543676e504471a6d8840e8aea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0467027adec0eebfffdd652c6efc68b7 |
| SHA1 | 61e7d603370bf913eaa568e8b8a6f759660deb7e |
| SHA256 | 282439f4f1fedb8ec11007c0cf4c87a3030026c0d2cf3fe432ab75815558dded |
| SHA512 | abeb796b40cbf722e2d31e2aa38955992ecb828b35f52c8d75aae1da802d6992689b8abc9294df5ebdbfd35beefc8ef4579949d8a3e755ca54e54ed37a08395c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 628e7d72b0a2f87c02b2e591fc065c5c |
| SHA1 | 0a71f2d455d249d7b39cd5771bdc6152c5cfe880 |
| SHA256 | 3738e81bd2039d7455a4bab9dab1e825dfc57af7fba5666039f0254bdea15487 |
| SHA512 | 357fcbc7b28714e27fe5794837e0d86a3a5d8d86ad3b495bdcb19c08554dc1421b75f042a369cb7e17910ff047487e25bc238c5e5587679251638b1ada99da93 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4dffe522a6222a3c61827a9b68dd6a87 |
| SHA1 | 241504f92047d3883f1432be6f19c6b867880eda |
| SHA256 | 06d5d5500178b6c97bd0296efec8874c2ea63b8bc7f557de687257f42c5655b9 |
| SHA512 | e0cbf9a75d7b2c1eeffbcb91168815cc24f6c7c9ca91d8af4244320344a7452dde1c489f7486eea847e66db43cacc3628a47f84a4b8e2fe94506f3c1ea44b89d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f3c3e32ccf11da091956efa8ea21ab6d |
| SHA1 | 3e4240e4ab8627d01af353820d1f3da703c43b2f |
| SHA256 | 6c2d841e58ecf5ac1f287bb43d99cfb7eece121c73d8a155c5d41f4a2b30a420 |
| SHA512 | ec947b6dcc652ffaba938045d72becc1745ebc73ec44db5dad7a197bb2fa5846af5e0c797acdaaba3f1f62e041869212f28f42de099861ff5ad7d65324897472 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0774f8e04004d42be40d9dc4832aa1d2 |
| SHA1 | b21c711adc24e7a645eb6ce50dbf9dbc280482dd |
| SHA256 | f22c6877453e16dc1ecb395abef23da081af69e44efd4e605fa2b24744c68327 |
| SHA512 | cf06de72383045e435ea6866a57718283c16f810c40544713012185d808e607d473bfe9c058df94e6940a2ae4e91ae24074b3ea6e678c154e59a2a93281ea657 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3e2d0d15aa44eda1aca7ab85802498ae |
| SHA1 | 2943392de366e8b3df3e547c1564c328499b435a |
| SHA256 | 24d79350f2deac7ef13f734173cc2bae304d56b16bbc3dd212a9d2644cc04f01 |
| SHA512 | 374a3b8a32f00ffd2f3078e11288d2c182ae623699507d7685cca690dd3baae20fc7dba8dea873f556f878005b00fcf1b1eb7c281401de0ea19388331dd7e102 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f7610b9b8cd907f702313bf54212e126 |
| SHA1 | 1953a58599e877b895a75684846f7869c00cc31b |
| SHA256 | f22febf95d63ca30256e9b290bf57a7243747a067f854ce699c92307288e9f6d |
| SHA512 | 22b486e7f1928fad4595a7f6d2effe8c3247a42ecdcf0484c9ad97339e34c39a697e5fa29c1140a5483159bb78905d9a13847667e36a28ec3eebd773cfeff17a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4762f42e3563c9445985038740e5671f |
| SHA1 | 0a318f73b57884a7e5a49a43f34b227cc2f55e40 |
| SHA256 | 4406d1e156cb9318726897037c2eff1f3b6e1675970912a8c5a03ed8a6a7f671 |
| SHA512 | b9883342b454e49f9a46ed9b5e569b1e8e84ace2ded323e3be5733f53f0ea34a59d5353c21e9eff81cacc4d930c53660bf3c7130445f0958ca09d8111e84d8f5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e4d0e3f821fbd4f20013304841d72292 |
| SHA1 | dcdefe54354fca5e5fd6ce34fa391e320d97b5f6 |
| SHA256 | eb88c4730e5a76b888b88962f6de9422086eb5da7d2b55101210edd8632d413c |
| SHA512 | 159377a716e6c799ec8ce0b6f880778a1f02eeaedea2fa11da3c273662efbd3d14c9cfcbc368b497a5ef771d177321e772051e509ec3dd9fcba461156461190d |
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4524 wrote to memory of 3820 | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 4524 wrote to memory of 3820 | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 4524 wrote to memory of 3820 | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 75c84be6edeb473e9b347c25e79e56c1 |
| SHA1 | 8e8194182fabd97a406ab84cf7b0a5b7eaead253 |
| SHA256 | 0fa917124981b68e4a70be84598653878f56914d3390f176034b53230d9ede2c |
| SHA512 | b66541b2481b0313e85f99896b94320a4984af77356a8c2c88d47dfa178d55a04716371f2b8a94b728886ab30c6d55655a99ea07329031fb7b5ac3e6793c048a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| BE | 88.221.83.249:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.79.70.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsu5FF4.tmp\System.dll
| MD5 | 3e6bf00b3ac976122f982ae2aadb1c51 |
| SHA1 | caab188f7fdc84d3fdcb2922edeeb5ed576bd31d |
| SHA256 | 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe |
| SHA512 | 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706 |
C:\Users\Admin\AppData\Local\Temp\nsu5FF4.tmp\nsDialogs.dll
| MD5 | dbdbf4017ff91c9de328697b5fd2e10a |
| SHA1 | b597a5e9a8a0b252770933feed51169b5060a09f |
| SHA256 | be60a00f32924ccbe03f9914e33b8e1ad8c8a1ca442263a69896efba74925b36 |
| SHA512 | 3befc15aab0a5dbe7fde96155b0499d385f2799b1a2d47ce04f37b5804006b1c6c4fff93d3cedb56a2a8172b23752b6f9dc6168cfce3596b91def3247836cf10 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
52s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4796 wrote to memory of 4328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4796 wrote to memory of 4328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4796 wrote to memory of 4328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4328 -ip 4328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\blogid=321536463764.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb750746f8,0x7ffb75074708,0x7ffb75074718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,6162032246283004094,5505837985972974547,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,6162032246283004094,5505837985972974547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,6162032246283004094,5505837985972974547,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6162032246283004094,5505837985972974547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6162032246283004094,5505837985972974547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,6162032246283004094,5505837985972974547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,6162032246283004094,5505837985972974547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6162032246283004094,5505837985972974547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6162032246283004094,5505837985972974547,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6162032246283004094,5505837985972974547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6162032246283004094,5505837985972974547,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,6162032246283004094,5505837985972974547,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5688 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.coe.org | udp |
| US | 38.106.217.98:80 | www.coe.org | tcp |
| US | 38.106.217.98:80 | www.coe.org | tcp |
| US | 38.106.217.98:80 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 38.106.217.98:443 | www.coe.org | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.217.106.38.in-addr.arpa | udp |
| US | 38.106.217.98:80 | www.coe.org | tcp |
| US | 38.106.217.98:80 | www.coe.org | tcp |
| US | 38.106.217.98:80 | www.coe.org | tcp |
| DE | 172.217.16.142:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 142.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56067634f68231081c4bd5bdbfcc202f |
| SHA1 | 5582776da6ffc75bb0973840fc3d15598bc09eb1 |
| SHA256 | 8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4 |
| SHA512 | c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784 |
\??\pipe\LOCAL\crashpad_4268_BURDHADKSDURQORV
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 81e892ca5c5683efdf9135fe0f2adb15 |
| SHA1 | 39159b30226d98a465ece1da28dc87088b20ecad |
| SHA256 | 830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17 |
| SHA512 | c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 949120853860b74d9429ccdd30a2cea4 |
| SHA1 | 5a49f971fb60acb0ad155b4967f1a0c159a91612 |
| SHA256 | 16dffdf12d38aff0cf9a549b26f79124c1f0bcdd922a98561298f13889735ee4 |
| SHA512 | 31d5638847768b7c83b063b9645e3db057689de3032187abeb024e062c06150e628071828f68f5d7629fd30788ec51224e7e9892130b18eae96c2cc0ee71a2d9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6893588db4e5e0ad0f77fbe76f058dcc |
| SHA1 | 4854d1f227b8f5efd6262a4d25f7ff148d4fb3a1 |
| SHA256 | 89aef316538754b92c6d4d2fd701b53c35d943f4d043e7fb7fbfddae03cd44cd |
| SHA512 | 0880058ee07e594ce274b70d8808cddd04590f0d3dc9ba2e3ae244cb930633ba79b88b0753be1763c280c612a4956eef6288c537846f632b22c653aaeefa290e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e6c2aaf9c58bd8fbb0971fbf7e5b405f |
| SHA1 | de2adbd4c41396002500674c54350280fd784af3 |
| SHA256 | feef27dbe39dab845583cf35e8d0a0ec5f96423dd60687b4924e5a172f030360 |
| SHA512 | df3879be70fd77f0744687ca4726ba8d23f83c6bbc4c647ff7a83e68f4eab25c7c1c66a1305b376a3fec10ac2d8e07c8326139f6557e1d855b8fc7ae08d9f457 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 3c46cd3d3ceb6f0620f3b84800545728 |
| SHA1 | 27c2d098ef1b28fcdac7f74015ac857bee2c4bc0 |
| SHA256 | 6b8b6685aef6bb685bf3309996eab1c7ea9b26585229338ddb4edb84c469719f |
| SHA512 | 83b87678ee7be0754a3c66be45333a74dfb4a91d57226092feebee1a65c0188572e1b2d93f3a399f6684a880aa5b8d00f1ba98df4f2ef0408c7915b888ca7f9f |
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
61s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery.meanmenu.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win7-20240221-en
Max time kernel
119s
Max time network
149s
Command Line
Signatures
Cerber
Deletes shadow copies
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
Contacts a large (517) amount of remote hosts
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpD874.bmp" | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2928 set thread context of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 432
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im "b5acd7114871b64c25d2eaadbce860f6_JaffaCakes118.exe"
C:\Windows\system32\PING.EXE
ping -n 1 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| AM | 31.184.234.0:6892 | udp | |
| AM | 31.184.234.1:6892 | udp | |
| AM | 31.184.234.2:6892 | udp | |
| AM | 31.184.234.3:6892 | udp | |
| AM | 31.184.234.4:6892 | udp | |
| AM | 31.184.234.5:6892 | udp | |
| AM | 31.184.234.6:6892 | udp | |
| AM | 31.184.234.7:6892 | udp | |
| AM | 31.184.234.8:6892 | udp | |
| AM | 31.184.234.9:6892 | udp | |
| AM | 31.184.234.10:6892 | udp | |
| AM | 31.184.234.11:6892 | udp | |
| AM | 31.184.234.12:6892 | udp | |
| AM | 31.184.234.13:6892 | udp | |
| AM | 31.184.234.14:6892 | udp | |
| AM | 31.184.234.15:6892 | udp | |
| AM | 31.184.234.16:6892 | udp | |
| AM | 31.184.234.17:6892 | udp | |
| AM | 31.184.234.18:6892 | udp | |
| AM | 31.184.234.19:6892 | udp | |
| AM | 31.184.234.20:6892 | udp | |
| AM | 31.184.234.21:6892 | udp | |
| AM | 31.184.234.22:6892 | udp | |
| AM | 31.184.234.23:6892 | udp | |
| AM | 31.184.234.24:6892 | udp | |
| AM | 31.184.234.25:6892 | udp | |
| AM | 31.184.234.26:6892 | udp | |
| AM | 31.184.234.27:6892 | udp | |
| AM | 31.184.234.28:6892 | udp | |
| AM | 31.184.234.29:6892 | udp | |
| AM | 31.184.234.30:6892 | udp | |
| AM | 31.184.234.31:6892 | udp | |
| AM | 31.184.234.32:6892 | udp | |
| AM | 31.184.234.33:6892 | udp | |
| AM | 31.184.234.34:6892 | udp | |
| AM | 31.184.234.35:6892 | udp | |
| AM | 31.184.234.36:6892 | udp | |
| AM | 31.184.234.37:6892 | udp | |
| AM | 31.184.234.38:6892 | udp | |
| AM | 31.184.234.39:6892 | udp | |
| AM | 31.184.234.40:6892 | udp | |
| AM | 31.184.234.41:6892 | udp | |
| AM | 31.184.234.42:6892 | udp | |
| AM | 31.184.234.43:6892 | udp | |
| AM | 31.184.234.44:6892 | udp | |
| AM | 31.184.234.45:6892 | udp | |
| AM | 31.184.234.46:6892 | udp | |
| AM | 31.184.234.47:6892 | udp | |
| AM | 31.184.234.48:6892 | udp | |
| AM | 31.184.234.49:6892 | udp | |
| AM | 31.184.234.50:6892 | udp | |
| AM | 31.184.234.51:6892 | udp | |
| AM | 31.184.234.52:6892 | udp | |
| AM | 31.184.234.53:6892 | udp | |
| AM | 31.184.234.54:6892 | udp | |
| AM | 31.184.234.55:6892 | udp | |
| AM | 31.184.234.56:6892 | udp | |
| AM | 31.184.234.57:6892 | udp | |
| AM | 31.184.234.58:6892 | udp | |
| AM | 31.184.234.59:6892 | udp | |
| AM | 31.184.234.60:6892 | udp | |
| AM | 31.184.234.61:6892 | udp | |
| AM | 31.184.234.62:6892 | udp | |
| AM | 31.184.234.63:6892 | udp | |
| AM | 31.184.234.64:6892 | udp | |
| AM | 31.184.234.65:6892 | udp | |
| AM | 31.184.234.66:6892 | udp | |
| AM | 31.184.234.67:6892 | udp | |
| AM | 31.184.234.68:6892 | udp | |
| AM | 31.184.234.69:6892 | udp | |
| AM | 31.184.234.70:6892 | udp | |
| AM | 31.184.234.71:6892 | udp | |
| AM | 31.184.234.72:6892 | udp | |
| AM | 31.184.234.73:6892 | udp | |
| AM | 31.184.234.74:6892 | udp | |
| AM | 31.184.234.75:6892 | udp | |
| AM | 31.184.234.76:6892 | udp | |
| AM | 31.184.234.77:6892 | udp | |
| AM | 31.184.234.78:6892 | udp | |
| AM | 31.184.234.79:6892 | udp | |
| AM | 31.184.234.80:6892 | udp | |
| AM | 31.184.234.81:6892 | udp | |
| AM | 31.184.234.82:6892 | udp | |
| AM | 31.184.234.83:6892 | udp | |
| AM | 31.184.234.84:6892 | udp | |
| AM | 31.184.234.85:6892 | udp | |
| AM | 31.184.234.86:6892 | udp | |
| AM | 31.184.234.87:6892 | udp | |
| AM | 31.184.234.88:6892 | udp | |
| AM | 31.184.234.89:6892 | udp | |
| AM | 31.184.234.90:6892 | udp | |
| AM | 31.184.234.91:6892 | udp | |
| AM | 31.184.234.92:6892 | udp | |
| AM | 31.184.234.93:6892 | udp | |
| AM | 31.184.234.94:6892 | udp | |
| AM | 31.184.234.95:6892 | udp | |
| AM | 31.184.234.96:6892 | udp | |
| AM | 31.184.234.97:6892 | udp | |
| AM | 31.184.234.98:6892 | udp | |
| AM | 31.184.234.99:6892 | udp | |
| AM | 31.184.234.100:6892 | udp | |
| AM | 31.184.234.101:6892 | udp | |
| AM | 31.184.234.102:6892 | udp | |
| AM | 31.184.234.103:6892 | udp | |
| AM | 31.184.234.104:6892 | udp | |
| AM | 31.184.234.105:6892 | udp | |
| AM | 31.184.234.106:6892 | udp | |
| AM | 31.184.234.107:6892 | udp | |
| AM | 31.184.234.108:6892 | udp | |
| AM | 31.184.234.109:6892 | udp | |
| AM | 31.184.234.110:6892 | udp | |
| AM | 31.184.234.111:6892 | udp | |
| AM | 31.184.234.112:6892 | udp | |
| AM | 31.184.234.113:6892 | udp | |
| AM | 31.184.234.114:6892 | udp | |
| AM | 31.184.234.115:6892 | udp | |
| AM | 31.184.234.116:6892 | udp | |
| AM | 31.184.234.117:6892 | udp | |
| AM | 31.184.234.118:6892 | udp | |
| AM | 31.184.234.119:6892 | udp | |
| AM | 31.184.234.120:6892 | udp | |
| AM | 31.184.234.121:6892 | udp | |
| AM | 31.184.234.122:6892 | udp | |
| AM | 31.184.234.123:6892 | udp | |
| AM | 31.184.234.124:6892 | udp | |
| AM | 31.184.234.125:6892 | udp | |
| AM | 31.184.234.126:6892 | udp | |
| AM | 31.184.234.127:6892 | udp | |
| AM | 31.184.234.128:6892 | udp | |
| AM | 31.184.234.129:6892 | udp | |
| AM | 31.184.234.130:6892 | udp | |
| AM | 31.184.234.131:6892 | udp | |
| AM | 31.184.234.132:6892 | udp | |
| AM | 31.184.234.133:6892 | udp | |
| AM | 31.184.234.134:6892 | udp | |
| AM | 31.184.234.135:6892 | udp | |
| AM | 31.184.234.136:6892 | udp | |
| AM | 31.184.234.137:6892 | udp | |
| AM | 31.184.234.138:6892 | udp | |
| AM | 31.184.234.139:6892 | udp | |
| AM | 31.184.234.140:6892 | udp | |
| AM | 31.184.234.141:6892 | udp | |
| AM | 31.184.234.142:6892 | udp | |
| AM | 31.184.234.143:6892 | udp | |
| AM | 31.184.234.144:6892 | udp | |
| AM | 31.184.234.145:6892 | udp | |
| AM | 31.184.234.146:6892 | udp | |
| AM | 31.184.234.147:6892 | udp | |
| AM | 31.184.234.148:6892 | udp | |
| AM | 31.184.234.149:6892 | udp | |
| AM | 31.184.234.150:6892 | udp | |
| AM | 31.184.234.151:6892 | udp | |
| AM | 31.184.234.152:6892 | udp | |
| AM | 31.184.234.153:6892 | udp | |
| AM | 31.184.234.154:6892 | udp | |
| AM | 31.184.234.155:6892 | udp | |
| AM | 31.184.234.156:6892 | udp | |
| AM | 31.184.234.157:6892 | udp | |
| AM | 31.184.234.158:6892 | udp | |
| AM | 31.184.234.159:6892 | udp | |
| AM | 31.184.234.160:6892 | udp | |
| AM | 31.184.234.161:6892 | udp | |
| AM | 31.184.234.162:6892 | udp | |
| AM | 31.184.234.163:6892 | udp | |
| AM | 31.184.234.164:6892 | udp | |
| AM | 31.184.234.165:6892 | udp | |
| AM | 31.184.234.166:6892 | udp | |
| AM | 31.184.234.167:6892 | udp | |
| AM | 31.184.234.168:6892 | udp | |
| AM | 31.184.234.169:6892 | udp | |
| AM | 31.184.234.170:6892 | udp | |
| AM | 31.184.234.171:6892 | udp | |
| AM | 31.184.234.172:6892 | udp | |
| AM | 31.184.234.173:6892 | udp | |
| AM | 31.184.234.174:6892 | udp | |
| AM | 31.184.234.175:6892 | udp | |
| AM | 31.184.234.176:6892 | udp | |
| AM | 31.184.234.177:6892 | udp | |
| AM | 31.184.234.178:6892 | udp | |
| AM | 31.184.234.179:6892 | udp | |
| AM | 31.184.234.180:6892 | udp | |
| AM | 31.184.234.181:6892 | udp | |
| AM | 31.184.234.182:6892 | udp | |
| AM | 31.184.234.183:6892 | udp | |
| AM | 31.184.234.184:6892 | udp | |
| AM | 31.184.234.185:6892 | udp | |
| AM | 31.184.234.186:6892 | udp | |
| AM | 31.184.234.187:6892 | udp | |
| AM | 31.184.234.188:6892 | udp | |
| AM | 31.184.234.189:6892 | udp | |
| AM | 31.184.234.190:6892 | udp | |
| AM | 31.184.234.191:6892 | udp | |
| AM | 31.184.234.192:6892 | udp | |
| AM | 31.184.234.193:6892 | udp | |
| AM | 31.184.234.194:6892 | udp | |
| AM | 31.184.234.195:6892 | udp | |
| AM | 31.184.234.196:6892 | udp | |
| AM | 31.184.234.197:6892 | udp | |
| AM | 31.184.234.198:6892 | udp | |
| AM | 31.184.234.199:6892 | udp | |
| AM | 31.184.234.200:6892 | udp | |
| AM | 31.184.234.201:6892 | udp | |
| AM | 31.184.234.202:6892 | udp | |
| AM | 31.184.234.203:6892 | udp | |
| AM | 31.184.234.204:6892 | udp | |
| AM | 31.184.234.205:6892 | udp | |
| AM | 31.184.234.206:6892 | udp | |
| AM | 31.184.234.207:6892 | udp | |
| AM | 31.184.234.208:6892 | udp | |
| AM | 31.184.234.209:6892 | udp | |
| AM | 31.184.234.210:6892 | udp | |
| AM | 31.184.234.211:6892 | udp | |
| AM | 31.184.234.212:6892 | udp | |
| AM | 31.184.234.213:6892 | udp | |
| AM | 31.184.234.214:6892 | udp | |
| AM | 31.184.234.215:6892 | udp | |
| AM | 31.184.234.216:6892 | udp | |
| AM | 31.184.234.217:6892 | udp | |
| AM | 31.184.234.218:6892 | udp | |
| AM | 31.184.234.219:6892 | udp | |
| AM | 31.184.234.220:6892 | udp | |
| AM | 31.184.234.221:6892 | udp | |
| AM | 31.184.234.222:6892 | udp | |
| AM | 31.184.234.223:6892 | udp | |
| AM | 31.184.234.224:6892 | udp | |
| AM | 31.184.234.225:6892 | udp | |
| AM | 31.184.234.226:6892 | udp | |
| AM | 31.184.234.227:6892 | udp | |
| AM | 31.184.234.228:6892 | udp | |
| AM | 31.184.234.229:6892 | udp | |
| AM | 31.184.234.230:6892 | udp | |
| AM | 31.184.234.231:6892 | udp | |
| AM | 31.184.234.232:6892 | udp | |
| AM | 31.184.234.233:6892 | udp | |
| AM | 31.184.234.234:6892 | udp | |
| AM | 31.184.234.235:6892 | udp | |
| AM | 31.184.234.236:6892 | udp | |
| AM | 31.184.234.237:6892 | udp | |
| AM | 31.184.234.238:6892 | udp | |
| AM | 31.184.234.239:6892 | udp | |
| AM | 31.184.234.240:6892 | udp | |
| AM | 31.184.234.241:6892 | udp | |
| AM | 31.184.234.242:6892 | udp | |
| AM | 31.184.234.243:6892 | udp | |
| AM | 31.184.234.244:6892 | udp | |
| AM | 31.184.234.245:6892 | udp | |
| AM | 31.184.234.246:6892 | udp | |
| AM | 31.184.234.247:6892 | udp | |
| AM | 31.184.234.248:6892 | udp | |
| AM | 31.184.234.249:6892 | udp | |
| AM | 31.184.234.250:6892 | udp | |
| AM | 31.184.234.251:6892 | udp | |
| AM | 31.184.234.252:6892 | udp | |
| AM | 31.184.234.253:6892 | udp | |
| AM | 31.184.234.254:6892 | udp | |
| AM | 31.184.234.255:6892 | udp | |
| AM | 31.184.235.0:6892 | udp | |
| AM | 31.184.235.1:6892 | udp | |
| AM | 31.184.235.2:6892 | udp | |
| AM | 31.184.235.3:6892 | udp | |
| AM | 31.184.235.4:6892 | udp | |
| AM | 31.184.235.5:6892 | udp | |
| AM | 31.184.235.6:6892 | udp | |
| AM | 31.184.235.7:6892 | udp | |
| AM | 31.184.235.8:6892 | udp | |
| AM | 31.184.235.9:6892 | udp | |
| AM | 31.184.235.10:6892 | udp | |
| AM | 31.184.235.11:6892 | udp | |
| AM | 31.184.235.12:6892 | udp | |
| AM | 31.184.235.13:6892 | udp | |
| AM | 31.184.235.14:6892 | udp | |
| AM | 31.184.235.15:6892 | udp | |
| AM | 31.184.235.16:6892 | udp | |
| AM | 31.184.235.17:6892 | udp | |
| AM | 31.184.235.18:6892 | udp | |
| AM | 31.184.235.19:6892 | udp | |
| AM | 31.184.235.20:6892 | udp | |
| AM | 31.184.235.21:6892 | udp | |
| AM | 31.184.235.22:6892 | udp | |
| AM | 31.184.235.23:6892 | udp | |
| AM | 31.184.235.24:6892 | udp | |
| AM | 31.184.235.25:6892 | udp | |
| AM | 31.184.235.26:6892 | udp | |
| AM | 31.184.235.27:6892 | udp | |
| AM | 31.184.235.28:6892 | udp | |
| AM | 31.184.235.29:6892 | udp | |
| AM | 31.184.235.30:6892 | udp | |
| AM | 31.184.235.31:6892 | udp | |
| AM | 31.184.235.32:6892 | udp | |
| AM | 31.184.235.33:6892 | udp | |
| AM | 31.184.235.34:6892 | udp | |
| AM | 31.184.235.35:6892 | udp | |
| AM | 31.184.235.36:6892 | udp | |
| AM | 31.184.235.37:6892 | udp | |
| AM | 31.184.235.38:6892 | udp | |
| AM | 31.184.235.39:6892 | udp | |
| AM | 31.184.235.40:6892 | udp | |
| AM | 31.184.235.41:6892 | udp | |
| AM | 31.184.235.42:6892 | udp | |
| AM | 31.184.235.43:6892 | udp | |
| AM | 31.184.235.44:6892 | udp | |
| AM | 31.184.235.45:6892 | udp | |
| AM | 31.184.235.46:6892 | udp | |
| AM | 31.184.235.47:6892 | udp | |
| AM | 31.184.235.48:6892 | udp | |
| AM | 31.184.235.49:6892 | udp | |
| AM | 31.184.235.50:6892 | udp | |
| AM | 31.184.235.51:6892 | udp | |
| AM | 31.184.235.52:6892 | udp | |
| AM | 31.184.235.53:6892 | udp | |
| AM | 31.184.235.54:6892 | udp | |
| AM | 31.184.235.55:6892 | udp | |
| AM | 31.184.235.56:6892 | udp | |
| AM | 31.184.235.57:6892 | udp | |
| AM | 31.184.235.58:6892 | udp | |
| AM | 31.184.235.59:6892 | udp | |
| AM | 31.184.235.60:6892 | udp | |
| AM | 31.184.235.61:6892 | udp | |
| AM | 31.184.235.62:6892 | udp | |
| AM | 31.184.235.63:6892 | udp | |
| AM | 31.184.235.64:6892 | udp | |
| AM | 31.184.235.65:6892 | udp | |
| AM | 31.184.235.66:6892 | udp | |
| AM | 31.184.235.67:6892 | udp | |
| AM | 31.184.235.68:6892 | udp | |
| AM | 31.184.235.69:6892 | udp | |
| AM | 31.184.235.70:6892 | udp | |
| AM | 31.184.235.71:6892 | udp | |
| AM | 31.184.235.72:6892 | udp | |
| AM | 31.184.235.73:6892 | udp | |
| AM | 31.184.235.74:6892 | udp | |
| AM | 31.184.235.75:6892 | udp | |
| AM | 31.184.235.76:6892 | udp | |
| AM | 31.184.235.77:6892 | udp | |
| AM | 31.184.235.78:6892 | udp | |
| AM | 31.184.235.79:6892 | udp | |
| AM | 31.184.235.80:6892 | udp | |
| AM | 31.184.235.81:6892 | udp | |
| AM | 31.184.235.82:6892 | udp | |
| AM | 31.184.235.83:6892 | udp | |
| AM | 31.184.235.84:6892 | udp | |
| AM | 31.184.235.85:6892 | udp | |
| AM | 31.184.235.86:6892 | udp | |
| AM | 31.184.235.87:6892 | udp | |
| AM | 31.184.235.88:6892 | udp | |
| AM | 31.184.235.89:6892 | udp | |
| AM | 31.184.235.90:6892 | udp | |
| AM | 31.184.235.91:6892 | udp | |
| AM | 31.184.235.92:6892 | udp | |
| AM | 31.184.235.93:6892 | udp | |
| AM | 31.184.235.94:6892 | udp | |
| AM | 31.184.235.95:6892 | udp | |
| AM | 31.184.235.96:6892 | udp | |
| AM | 31.184.235.97:6892 | udp | |
| AM | 31.184.235.98:6892 | udp | |
| AM | 31.184.235.99:6892 | udp | |
| AM | 31.184.235.100:6892 | udp | |
| AM | 31.184.235.101:6892 | udp | |
| AM | 31.184.235.102:6892 | udp | |
| AM | 31.184.235.103:6892 | udp | |
| AM | 31.184.235.104:6892 | udp | |
| AM | 31.184.235.105:6892 | udp | |
| AM | 31.184.235.106:6892 | udp | |
| AM | 31.184.235.107:6892 | udp | |
| AM | 31.184.235.108:6892 | udp | |
| AM | 31.184.235.109:6892 | udp | |
| AM | 31.184.235.110:6892 | udp | |
| AM | 31.184.235.111:6892 | udp | |
| AM | 31.184.235.112:6892 | udp | |
| AM | 31.184.235.113:6892 | udp | |
| AM | 31.184.235.114:6892 | udp | |
| AM | 31.184.235.115:6892 | udp | |
| AM | 31.184.235.116:6892 | udp | |
| AM | 31.184.235.117:6892 | udp | |
| AM | 31.184.235.118:6892 | udp | |
| AM | 31.184.235.119:6892 | udp | |
| AM | 31.184.235.120:6892 | udp | |
| AM | 31.184.235.121:6892 | udp | |
| AM | 31.184.235.122:6892 | udp | |
| AM | 31.184.235.123:6892 | udp | |
| AM | 31.184.235.124:6892 | udp | |
| AM | 31.184.235.125:6892 | udp | |
| AM | 31.184.235.126:6892 | udp | |
| AM | 31.184.235.127:6892 | udp | |
| AM | 31.184.235.128:6892 | udp | |
| AM | 31.184.235.129:6892 | udp | |
| AM | 31.184.235.130:6892 | udp | |
| AM | 31.184.235.131:6892 | udp | |
| AM | 31.184.235.132:6892 | udp | |
| AM | 31.184.235.133:6892 | udp | |
| AM | 31.184.235.134:6892 | udp | |
| AM | 31.184.235.135:6892 | udp | |
| AM | 31.184.235.136:6892 | udp | |
| AM | 31.184.235.137:6892 | udp | |
| AM | 31.184.235.138:6892 | udp | |
| AM | 31.184.235.139:6892 | udp | |
| AM | 31.184.235.140:6892 | udp | |
| AM | 31.184.235.141:6892 | udp | |
| AM | 31.184.235.142:6892 | udp | |
| AM | 31.184.235.143:6892 | udp | |
| AM | 31.184.235.144:6892 | udp | |
| AM | 31.184.235.145:6892 | udp | |
| AM | 31.184.235.146:6892 | udp | |
| AM | 31.184.235.147:6892 | udp | |
| AM | 31.184.235.148:6892 | udp | |
| AM | 31.184.235.149:6892 | udp | |
| AM | 31.184.235.150:6892 | udp | |
| AM | 31.184.235.151:6892 | udp | |
| AM | 31.184.235.152:6892 | udp | |
| AM | 31.184.235.153:6892 | udp | |
| AM | 31.184.235.154:6892 | udp | |
| AM | 31.184.235.155:6892 | udp | |
| AM | 31.184.235.156:6892 | udp | |
| AM | 31.184.235.157:6892 | udp | |
| AM | 31.184.235.158:6892 | udp | |
| AM | 31.184.235.159:6892 | udp | |
| AM | 31.184.235.160:6892 | udp | |
| AM | 31.184.235.161:6892 | udp | |
| AM | 31.184.235.162:6892 | udp | |
| AM | 31.184.235.163:6892 | udp | |
| AM | 31.184.235.164:6892 | udp | |
| AM | 31.184.235.165:6892 | udp | |
| AM | 31.184.235.166:6892 | udp | |
| AM | 31.184.235.167:6892 | udp | |
| AM | 31.184.235.168:6892 | udp | |
| AM | 31.184.235.169:6892 | udp | |
| AM | 31.184.235.170:6892 | udp | |
| AM | 31.184.235.171:6892 | udp | |
| AM | 31.184.235.172:6892 | udp | |
| AM | 31.184.235.173:6892 | udp | |
| AM | 31.184.235.174:6892 | udp | |
| AM | 31.184.235.175:6892 | udp | |
| AM | 31.184.235.176:6892 | udp | |
| AM | 31.184.235.177:6892 | udp | |
| AM | 31.184.235.178:6892 | udp | |
| AM | 31.184.235.179:6892 | udp | |
| AM | 31.184.235.180:6892 | udp | |
| AM | 31.184.235.181:6892 | udp | |
| AM | 31.184.235.182:6892 | udp | |
| AM | 31.184.235.183:6892 | udp | |
| AM | 31.184.235.184:6892 | udp | |
| AM | 31.184.235.185:6892 | udp | |
| AM | 31.184.235.186:6892 | udp | |
| AM | 31.184.235.187:6892 | udp | |
| AM | 31.184.235.188:6892 | udp | |
| AM | 31.184.235.189:6892 | udp | |
| AM | 31.184.235.190:6892 | udp | |
| AM | 31.184.235.191:6892 | udp | |
| AM | 31.184.235.192:6892 | udp | |
| AM | 31.184.235.193:6892 | udp | |
| AM | 31.184.235.194:6892 | udp | |
| AM | 31.184.235.195:6892 | udp | |
| AM | 31.184.235.196:6892 | udp | |
| AM | 31.184.235.197:6892 | udp | |
| AM | 31.184.235.198:6892 | udp | |
| AM | 31.184.235.199:6892 | udp | |
| AM | 31.184.235.200:6892 | udp | |
| AM | 31.184.235.201:6892 | udp | |
| AM | 31.184.235.202:6892 | udp | |
| AM | 31.184.235.203:6892 | udp | |
| AM | 31.184.235.204:6892 | udp | |
| AM | 31.184.235.205:6892 | udp | |
| AM | 31.184.235.206:6892 | udp | |
| AM | 31.184.235.207:6892 | udp | |
| AM | 31.184.235.208:6892 | udp | |
| AM | 31.184.235.209:6892 | udp | |
| AM | 31.184.235.210:6892 | udp | |
| AM | 31.184.235.211:6892 | udp | |
| AM | 31.184.235.212:6892 | udp | |
| AM | 31.184.235.213:6892 | udp | |
| AM | 31.184.235.214:6892 | udp | |
| AM | 31.184.235.215:6892 | udp | |
| AM | 31.184.235.216:6892 | udp | |
| AM | 31.184.235.217:6892 | udp | |
| AM | 31.184.235.218:6892 | udp | |
| AM | 31.184.235.219:6892 | udp | |
| AM | 31.184.235.220:6892 | udp | |
| AM | 31.184.235.221:6892 | udp | |
| AM | 31.184.235.222:6892 | udp | |
| AM | 31.184.235.223:6892 | udp | |
| AM | 31.184.235.224:6892 | udp | |
| AM | 31.184.235.225:6892 | udp | |
| AM | 31.184.235.226:6892 | udp | |
| AM | 31.184.235.227:6892 | udp | |
| AM | 31.184.235.228:6892 | udp | |
| AM | 31.184.235.229:6892 | udp | |
| AM | 31.184.235.230:6892 | udp | |
| AM | 31.184.235.231:6892 | udp | |
| AM | 31.184.235.232:6892 | udp | |
| AM | 31.184.235.233:6892 | udp | |
| AM | 31.184.235.234:6892 | udp | |
| AM | 31.184.235.235:6892 | udp | |
| AM | 31.184.235.236:6892 | udp | |
| AM | 31.184.235.237:6892 | udp | |
| AM | 31.184.235.238:6892 | udp | |
| AM | 31.184.235.239:6892 | udp | |
| AM | 31.184.235.240:6892 | udp | |
| AM | 31.184.235.241:6892 | udp | |
| AM | 31.184.235.242:6892 | udp | |
| AM | 31.184.235.243:6892 | udp | |
| AM | 31.184.235.244:6892 | udp | |
| AM | 31.184.235.245:6892 | udp | |
| AM | 31.184.235.246:6892 | udp | |
| AM | 31.184.235.247:6892 | udp | |
| AM | 31.184.235.248:6892 | udp | |
| AM | 31.184.235.249:6892 | udp | |
| AM | 31.184.235.250:6892 | udp | |
| AM | 31.184.235.251:6892 | udp | |
| AM | 31.184.235.252:6892 | udp | |
| AM | 31.184.235.253:6892 | udp | |
| AM | 31.184.235.254:6892 | udp | |
| AM | 31.184.235.255:6892 | udp | |
| AM | 31.184.234.0:6892 | udp | |
| AM | 31.184.234.1:6892 | udp | |
| AM | 31.184.234.2:6892 | udp | |
| AM | 31.184.234.3:6892 | udp | |
| AM | 31.184.234.4:6892 | udp | |
| AM | 31.184.234.5:6892 | udp | |
| AM | 31.184.234.6:6892 | udp | |
| AM | 31.184.234.7:6892 | udp | |
| AM | 31.184.234.8:6892 | udp | |
| AM | 31.184.234.9:6892 | udp | |
| AM | 31.184.234.10:6892 | udp | |
| AM | 31.184.234.11:6892 | udp | |
| AM | 31.184.234.12:6892 | udp | |
| AM | 31.184.234.13:6892 | udp | |
| AM | 31.184.234.14:6892 | udp | |
| AM | 31.184.234.15:6892 | udp | |
| AM | 31.184.234.16:6892 | udp | |
| AM | 31.184.234.17:6892 | udp | |
| AM | 31.184.234.18:6892 | udp | |
| AM | 31.184.234.19:6892 | udp | |
| AM | 31.184.234.20:6892 | udp | |
| AM | 31.184.234.21:6892 | udp | |
| AM | 31.184.234.22:6892 | udp | |
| AM | 31.184.234.23:6892 | udp | |
| AM | 31.184.234.24:6892 | udp | |
| AM | 31.184.234.25:6892 | udp | |
| AM | 31.184.234.26:6892 | udp | |
| AM | 31.184.234.27:6892 | udp | |
| AM | 31.184.234.28:6892 | udp | |
| AM | 31.184.234.29:6892 | udp | |
| AM | 31.184.234.30:6892 | udp | |
| AM | 31.184.234.31:6892 | udp | |
| AM | 31.184.234.32:6892 | udp | |
| AM | 31.184.234.33:6892 | udp | |
| AM | 31.184.234.34:6892 | udp | |
| AM | 31.184.234.35:6892 | udp | |
| AM | 31.184.234.36:6892 | udp | |
| AM | 31.184.234.37:6892 | udp | |
| AM | 31.184.234.38:6892 | udp | |
| AM | 31.184.234.39:6892 | udp | |
| AM | 31.184.234.40:6892 | udp | |
| AM | 31.184.234.41:6892 | udp | |
| AM | 31.184.234.42:6892 | udp | |
| AM | 31.184.234.43:6892 | udp | |
| AM | 31.184.234.44:6892 | udp | |
| AM | 31.184.234.45:6892 | udp | |
| AM | 31.184.234.46:6892 | udp | |
| AM | 31.184.234.47:6892 | udp | |
| AM | 31.184.234.48:6892 | udp | |
| AM | 31.184.234.49:6892 | udp | |
| AM | 31.184.234.50:6892 | udp | |
| AM | 31.184.234.51:6892 | udp | |
| AM | 31.184.234.52:6892 | udp | |
| AM | 31.184.234.53:6892 | udp | |
| AM | 31.184.234.54:6892 | udp | |
| AM | 31.184.234.55:6892 | udp | |
| AM | 31.184.234.56:6892 | udp | |
| AM | 31.184.234.57:6892 | udp | |
| AM | 31.184.234.58:6892 | udp | |
| AM | 31.184.234.59:6892 | udp | |
| AM | 31.184.234.60:6892 | udp | |
| AM | 31.184.234.61:6892 | udp | |
| AM | 31.184.234.62:6892 | udp | |
| AM | 31.184.234.63:6892 | udp | |
| AM | 31.184.234.64:6892 | udp | |
| AM | 31.184.234.65:6892 | udp | |
| AM | 31.184.234.66:6892 | udp | |
| AM | 31.184.234.67:6892 | udp | |
| AM | 31.184.234.68:6892 | udp | |
| AM | 31.184.234.69:6892 | udp | |
| AM | 31.184.234.70:6892 | udp | |
| AM | 31.184.234.71:6892 | udp | |
| AM | 31.184.234.72:6892 | udp | |
| AM | 31.184.234.73:6892 | udp | |
| AM | 31.184.234.74:6892 | udp | |
| AM | 31.184.234.75:6892 | udp | |
| AM | 31.184.234.76:6892 | udp | |
| AM | 31.184.234.77:6892 | udp | |
| AM | 31.184.234.78:6892 | udp | |
| AM | 31.184.234.79:6892 | udp | |
| AM | 31.184.234.80:6892 | udp | |
| AM | 31.184.234.81:6892 | udp | |
| AM | 31.184.234.82:6892 | udp | |
| AM | 31.184.234.83:6892 | udp | |
| AM | 31.184.234.84:6892 | udp | |
| AM | 31.184.234.85:6892 | udp | |
| AM | 31.184.234.86:6892 | udp | |
| AM | 31.184.234.87:6892 | udp | |
| AM | 31.184.234.88:6892 | udp | |
| AM | 31.184.234.89:6892 | udp | |
| AM | 31.184.234.90:6892 | udp | |
| AM | 31.184.234.91:6892 | udp | |
| AM | 31.184.234.92:6892 | udp | |
| AM | 31.184.234.93:6892 | udp | |
| AM | 31.184.234.94:6892 | udp | |
| AM | 31.184.234.95:6892 | udp | |
| AM | 31.184.234.96:6892 | udp | |
| AM | 31.184.234.97:6892 | udp | |
| AM | 31.184.234.98:6892 | udp | |
| AM | 31.184.234.99:6892 | udp | |
| AM | 31.184.234.100:6892 | udp | |
| AM | 31.184.234.101:6892 | udp | |
| AM | 31.184.234.102:6892 | udp | |
| AM | 31.184.234.103:6892 | udp | |
| AM | 31.184.234.104:6892 | udp | |
| AM | 31.184.234.105:6892 | udp | |
| AM | 31.184.234.106:6892 | udp | |
| AM | 31.184.234.107:6892 | udp | |
| AM | 31.184.234.108:6892 | udp | |
| AM | 31.184.234.109:6892 | udp | |
| AM | 31.184.234.110:6892 | udp | |
| AM | 31.184.234.111:6892 | udp | |
| AM | 31.184.234.112:6892 | udp | |
| AM | 31.184.234.113:6892 | udp | |
| AM | 31.184.234.114:6892 | udp | |
| AM | 31.184.234.115:6892 | udp | |
| AM | 31.184.234.116:6892 | udp | |
| AM | 31.184.234.117:6892 | udp | |
| AM | 31.184.234.118:6892 | udp | |
| AM | 31.184.234.119:6892 | udp | |
| AM | 31.184.234.120:6892 | udp | |
| AM | 31.184.234.121:6892 | udp | |
| AM | 31.184.234.122:6892 | udp | |
| AM | 31.184.234.123:6892 | udp | |
| AM | 31.184.234.124:6892 | udp | |
| AM | 31.184.234.125:6892 | udp | |
| AM | 31.184.234.126:6892 | udp | |
| AM | 31.184.234.127:6892 | udp | |
| AM | 31.184.234.128:6892 | udp | |
| AM | 31.184.234.129:6892 | udp | |
| AM | 31.184.234.130:6892 | udp | |
| AM | 31.184.234.131:6892 | udp | |
| AM | 31.184.234.132:6892 | udp | |
| AM | 31.184.234.133:6892 | udp | |
| AM | 31.184.234.134:6892 | udp | |
| AM | 31.184.234.135:6892 | udp | |
| AM | 31.184.234.136:6892 | udp | |
| AM | 31.184.234.137:6892 | udp | |
| AM | 31.184.234.138:6892 | udp | |
| AM | 31.184.234.139:6892 | udp | |
| AM | 31.184.234.140:6892 | udp | |
| AM | 31.184.234.141:6892 | udp | |
| AM | 31.184.234.142:6892 | udp | |
| AM | 31.184.234.143:6892 | udp | |
| AM | 31.184.234.144:6892 | udp | |
| AM | 31.184.234.145:6892 | udp | |
| AM | 31.184.234.146:6892 | udp | |
| AM | 31.184.234.147:6892 | udp | |
| AM | 31.184.234.148:6892 | udp | |
| AM | 31.184.234.149:6892 | udp | |
| AM | 31.184.234.150:6892 | udp | |
| AM | 31.184.234.151:6892 | udp | |
| AM | 31.184.234.152:6892 | udp | |
| AM | 31.184.234.153:6892 | udp | |
| AM | 31.184.234.154:6892 | udp | |
| AM | 31.184.234.155:6892 | udp | |
| AM | 31.184.234.156:6892 | udp | |
| AM | 31.184.234.157:6892 | udp | |
| AM | 31.184.234.158:6892 | udp | |
| AM | 31.184.234.159:6892 | udp | |
| AM | 31.184.234.160:6892 | udp | |
| AM | 31.184.234.161:6892 | udp | |
| AM | 31.184.234.162:6892 | udp | |
| AM | 31.184.234.163:6892 | udp | |
| AM | 31.184.234.164:6892 | udp | |
| AM | 31.184.234.165:6892 | udp | |
| AM | 31.184.234.166:6892 | udp | |
| AM | 31.184.234.167:6892 | udp | |
| AM | 31.184.234.168:6892 | udp | |
| AM | 31.184.234.169:6892 | udp | |
| AM | 31.184.234.170:6892 | udp | |
| AM | 31.184.234.171:6892 | udp | |
| AM | 31.184.234.172:6892 | udp | |
| AM | 31.184.234.173:6892 | udp | |
| AM | 31.184.234.174:6892 | udp | |
| AM | 31.184.234.175:6892 | udp | |
| AM | 31.184.234.176:6892 | udp | |
| AM | 31.184.234.177:6892 | udp | |
| AM | 31.184.234.178:6892 | udp | |
| AM | 31.184.234.179:6892 | udp | |
| AM | 31.184.234.180:6892 | udp | |
| AM | 31.184.234.181:6892 | udp | |
| AM | 31.184.234.182:6892 | udp | |
| AM | 31.184.234.183:6892 | udp | |
| AM | 31.184.234.184:6892 | udp | |
| AM | 31.184.234.185:6892 | udp | |
| AM | 31.184.234.186:6892 | udp | |
| AM | 31.184.234.187:6892 | udp | |
| AM | 31.184.234.188:6892 | udp | |
| AM | 31.184.234.189:6892 | udp | |
| AM | 31.184.234.190:6892 | udp | |
| AM | 31.184.234.191:6892 | udp | |
| AM | 31.184.234.192:6892 | udp | |
| AM | 31.184.234.193:6892 | udp | |
| AM | 31.184.234.194:6892 | udp | |
| AM | 31.184.234.195:6892 | udp | |
| AM | 31.184.234.196:6892 | udp | |
| AM | 31.184.234.197:6892 | udp | |
| AM | 31.184.234.198:6892 | udp | |
| AM | 31.184.234.199:6892 | udp | |
| AM | 31.184.234.200:6892 | udp | |
| AM | 31.184.234.201:6892 | udp | |
| AM | 31.184.234.202:6892 | udp | |
| AM | 31.184.234.203:6892 | udp | |
| AM | 31.184.234.204:6892 | udp | |
| AM | 31.184.234.205:6892 | udp | |
| AM | 31.184.234.206:6892 | udp | |
| AM | 31.184.234.207:6892 | udp | |
| AM | 31.184.234.208:6892 | udp | |
| AM | 31.184.234.209:6892 | udp | |
| AM | 31.184.234.210:6892 | udp | |
| AM | 31.184.234.211:6892 | udp | |
| AM | 31.184.234.212:6892 | udp | |
| AM | 31.184.234.213:6892 | udp | |
| AM | 31.184.234.214:6892 | udp | |
| AM | 31.184.234.215:6892 | udp | |
| AM | 31.184.234.216:6892 | udp | |
| AM | 31.184.234.217:6892 | udp | |
| AM | 31.184.234.218:6892 | udp | |
| AM | 31.184.234.219:6892 | udp | |
| AM | 31.184.234.220:6892 | udp | |
| AM | 31.184.234.221:6892 | udp | |
| AM | 31.184.234.222:6892 | udp | |
| AM | 31.184.234.223:6892 | udp | |
| AM | 31.184.234.224:6892 | udp | |
| AM | 31.184.234.225:6892 | udp | |
| AM | 31.184.234.226:6892 | udp | |
| AM | 31.184.234.227:6892 | udp | |
| AM | 31.184.234.228:6892 | udp | |
| AM | 31.184.234.229:6892 | udp | |
| AM | 31.184.234.230:6892 | udp | |
| AM | 31.184.234.231:6892 | udp | |
| AM | 31.184.234.232:6892 | udp | |
| AM | 31.184.234.233:6892 | udp | |
| AM | 31.184.234.234:6892 | udp | |
| AM | 31.184.234.235:6892 | udp | |
| AM | 31.184.234.236:6892 | udp | |
| AM | 31.184.234.237:6892 | udp | |
| AM | 31.184.234.238:6892 | udp | |
| AM | 31.184.234.239:6892 | udp | |
| AM | 31.184.234.240:6892 | udp | |
| AM | 31.184.234.241:6892 | udp | |
| AM | 31.184.234.242:6892 | udp | |
| AM | 31.184.234.243:6892 | udp | |
| AM | 31.184.234.244:6892 | udp | |
| AM | 31.184.234.245:6892 | udp | |
| AM | 31.184.234.246:6892 | udp | |
| AM | 31.184.234.247:6892 | udp | |
| AM | 31.184.234.248:6892 | udp | |
| AM | 31.184.234.249:6892 | udp | |
| AM | 31.184.234.250:6892 | udp | |
| AM | 31.184.234.251:6892 | udp | |
| AM | 31.184.234.252:6892 | udp | |
| AM | 31.184.234.253:6892 | udp | |
| AM | 31.184.234.254:6892 | udp | |
| AM | 31.184.234.255:6892 | udp | |
| AM | 31.184.235.0:6892 | udp | |
| AM | 31.184.235.1:6892 | udp | |
| AM | 31.184.235.2:6892 | udp | |
| AM | 31.184.235.3:6892 | udp | |
| AM | 31.184.235.4:6892 | udp | |
| AM | 31.184.235.5:6892 | udp | |
| AM | 31.184.235.6:6892 | udp | |
| AM | 31.184.235.7:6892 | udp | |
| AM | 31.184.235.8:6892 | udp | |
| AM | 31.184.235.9:6892 | udp | |
| AM | 31.184.235.10:6892 | udp | |
| AM | 31.184.235.11:6892 | udp | |
| AM | 31.184.235.12:6892 | udp | |
| AM | 31.184.235.13:6892 | udp | |
| AM | 31.184.235.14:6892 | udp | |
| AM | 31.184.235.15:6892 | udp | |
| AM | 31.184.235.16:6892 | udp | |
| AM | 31.184.235.17:6892 | udp | |
| AM | 31.184.235.18:6892 | udp | |
| AM | 31.184.235.19:6892 | udp | |
| AM | 31.184.235.20:6892 | udp | |
| AM | 31.184.235.21:6892 | udp | |
| AM | 31.184.235.22:6892 | udp | |
| AM | 31.184.235.23:6892 | udp | |
| AM | 31.184.235.24:6892 | udp | |
| AM | 31.184.235.25:6892 | udp | |
| AM | 31.184.235.26:6892 | udp | |
| AM | 31.184.235.27:6892 | udp | |
| AM | 31.184.235.28:6892 | udp | |
| AM | 31.184.235.29:6892 | udp | |
| AM | 31.184.235.30:6892 | udp | |
| AM | 31.184.235.31:6892 | udp | |
| AM | 31.184.235.32:6892 | udp | |
| AM | 31.184.235.33:6892 | udp | |
| AM | 31.184.235.34:6892 | udp | |
| AM | 31.184.235.35:6892 | udp | |
| AM | 31.184.235.36:6892 | udp | |
| AM | 31.184.235.37:6892 | udp | |
| AM | 31.184.235.38:6892 | udp | |
| AM | 31.184.235.39:6892 | udp | |
| AM | 31.184.235.40:6892 | udp | |
| AM | 31.184.235.41:6892 | udp | |
| AM | 31.184.235.42:6892 | udp | |
| AM | 31.184.235.43:6892 | udp | |
| AM | 31.184.235.44:6892 | udp | |
| AM | 31.184.235.45:6892 | udp | |
| AM | 31.184.235.46:6892 | udp | |
| AM | 31.184.235.47:6892 | udp | |
| AM | 31.184.235.48:6892 | udp | |
| AM | 31.184.235.49:6892 | udp | |
| AM | 31.184.235.50:6892 | udp | |
| AM | 31.184.235.51:6892 | udp | |
| AM | 31.184.235.52:6892 | udp | |
| AM | 31.184.235.53:6892 | udp | |
| AM | 31.184.235.54:6892 | udp | |
| AM | 31.184.235.55:6892 | udp | |
| AM | 31.184.235.56:6892 | udp | |
| AM | 31.184.235.57:6892 | udp | |
| AM | 31.184.235.58:6892 | udp | |
| AM | 31.184.235.59:6892 | udp | |
| AM | 31.184.235.60:6892 | udp | |
| AM | 31.184.235.61:6892 | udp | |
| AM | 31.184.235.62:6892 | udp | |
| AM | 31.184.235.63:6892 | udp | |
| AM | 31.184.235.64:6892 | udp | |
| AM | 31.184.235.65:6892 | udp | |
| AM | 31.184.235.66:6892 | udp | |
| AM | 31.184.235.67:6892 | udp | |
| AM | 31.184.235.68:6892 | udp | |
| AM | 31.184.235.69:6892 | udp | |
| AM | 31.184.235.70:6892 | udp | |
| AM | 31.184.235.71:6892 | udp | |
| AM | 31.184.235.72:6892 | udp | |
| AM | 31.184.235.73:6892 | udp | |
| AM | 31.184.235.74:6892 | udp | |
| AM | 31.184.235.75:6892 | udp | |
| AM | 31.184.235.76:6892 | udp | |
| AM | 31.184.235.77:6892 | udp | |
| AM | 31.184.235.78:6892 | udp | |
| AM | 31.184.235.79:6892 | udp | |
| AM | 31.184.235.80:6892 | udp | |
| AM | 31.184.235.81:6892 | udp | |
| AM | 31.184.235.82:6892 | udp | |
| AM | 31.184.235.83:6892 | udp | |
| AM | 31.184.235.84:6892 | udp | |
| AM | 31.184.235.85:6892 | udp | |
| AM | 31.184.235.86:6892 | udp | |
| AM | 31.184.235.87:6892 | udp | |
| AM | 31.184.235.88:6892 | udp | |
| AM | 31.184.235.89:6892 | udp | |
| AM | 31.184.235.90:6892 | udp | |
| AM | 31.184.235.91:6892 | udp | |
| AM | 31.184.235.92:6892 | udp | |
| AM | 31.184.235.93:6892 | udp | |
| AM | 31.184.235.94:6892 | udp | |
| AM | 31.184.235.95:6892 | udp | |
| AM | 31.184.235.96:6892 | udp | |
| AM | 31.184.235.97:6892 | udp | |
| AM | 31.184.235.98:6892 | udp | |
| AM | 31.184.235.99:6892 | udp | |
| AM | 31.184.235.100:6892 | udp | |
| AM | 31.184.235.101:6892 | udp | |
| AM | 31.184.235.102:6892 | udp | |
| AM | 31.184.235.103:6892 | udp | |
| AM | 31.184.235.104:6892 | udp | |
| AM | 31.184.235.105:6892 | udp | |
| AM | 31.184.235.106:6892 | udp | |
| AM | 31.184.235.107:6892 | udp | |
| AM | 31.184.235.108:6892 | udp | |
| AM | 31.184.235.109:6892 | udp | |
| AM | 31.184.235.110:6892 | udp | |
| AM | 31.184.235.111:6892 | udp | |
| AM | 31.184.235.112:6892 | udp | |
| AM | 31.184.235.113:6892 | udp | |
| AM | 31.184.235.114:6892 | udp | |
| AM | 31.184.235.115:6892 | udp | |
| AM | 31.184.235.116:6892 | udp | |
| AM | 31.184.235.117:6892 | udp | |
| AM | 31.184.235.118:6892 | udp | |
| AM | 31.184.235.119:6892 | udp | |
| AM | 31.184.235.120:6892 | udp | |
| AM | 31.184.235.121:6892 | udp | |
| AM | 31.184.235.122:6892 | udp | |
| AM | 31.184.235.123:6892 | udp | |
| AM | 31.184.235.124:6892 | udp | |
| AM | 31.184.235.125:6892 | udp | |
| AM | 31.184.235.126:6892 | udp | |
| AM | 31.184.235.127:6892 | udp | |
| AM | 31.184.235.128:6892 | udp | |
| AM | 31.184.235.129:6892 | udp | |
| AM | 31.184.235.130:6892 | udp | |
| AM | 31.184.235.131:6892 | udp | |
| AM | 31.184.235.132:6892 | udp | |
| AM | 31.184.235.133:6892 | udp | |
| AM | 31.184.235.134:6892 | udp | |
| AM | 31.184.235.135:6892 | udp | |
| AM | 31.184.235.136:6892 | udp | |
| AM | 31.184.235.137:6892 | udp | |
| AM | 31.184.235.138:6892 | udp | |
| AM | 31.184.235.139:6892 | udp | |
| AM | 31.184.235.140:6892 | udp | |
| AM | 31.184.235.141:6892 | udp | |
| AM | 31.184.235.142:6892 | udp | |
| AM | 31.184.235.143:6892 | udp | |
| AM | 31.184.235.144:6892 | udp | |
| AM | 31.184.235.145:6892 | udp | |
| AM | 31.184.235.146:6892 | udp | |
| AM | 31.184.235.147:6892 | udp | |
| AM | 31.184.235.148:6892 | udp | |
| AM | 31.184.235.149:6892 | udp | |
| AM | 31.184.235.150:6892 | udp | |
| AM | 31.184.235.151:6892 | udp | |
| AM | 31.184.235.152:6892 | udp | |
| AM | 31.184.235.153:6892 | udp | |
| AM | 31.184.235.154:6892 | udp | |
| AM | 31.184.235.155:6892 | udp | |
| AM | 31.184.235.156:6892 | udp | |
| AM | 31.184.235.157:6892 | udp | |
| AM | 31.184.235.158:6892 | udp | |
| AM | 31.184.235.159:6892 | udp | |
| AM | 31.184.235.160:6892 | udp | |
| AM | 31.184.235.161:6892 | udp | |
| AM | 31.184.235.162:6892 | udp | |
| AM | 31.184.235.163:6892 | udp | |
| AM | 31.184.235.164:6892 | udp | |
| AM | 31.184.235.165:6892 | udp | |
| AM | 31.184.235.166:6892 | udp | |
| AM | 31.184.235.167:6892 | udp | |
| AM | 31.184.235.168:6892 | udp | |
| AM | 31.184.235.169:6892 | udp | |
| AM | 31.184.235.170:6892 | udp | |
| AM | 31.184.235.171:6892 | udp | |
| AM | 31.184.235.172:6892 | udp | |
| AM | 31.184.235.173:6892 | udp | |
| AM | 31.184.235.174:6892 | udp | |
| AM | 31.184.235.175:6892 | udp | |
| AM | 31.184.235.176:6892 | udp | |
| AM | 31.184.235.177:6892 | udp | |
| AM | 31.184.235.178:6892 | udp | |
| AM | 31.184.235.179:6892 | udp | |
| AM | 31.184.235.180:6892 | udp | |
| AM | 31.184.235.181:6892 | udp | |
| AM | 31.184.235.182:6892 | udp | |
| AM | 31.184.235.183:6892 | udp | |
| AM | 31.184.235.184:6892 | udp | |
| AM | 31.184.235.185:6892 | udp | |
| AM | 31.184.235.186:6892 | udp | |
| AM | 31.184.235.187:6892 | udp | |
| AM | 31.184.235.188:6892 | udp | |
| AM | 31.184.235.189:6892 | udp | |
| AM | 31.184.235.190:6892 | udp | |
| AM | 31.184.235.191:6892 | udp | |
| AM | 31.184.235.192:6892 | udp | |
| AM | 31.184.235.193:6892 | udp | |
| AM | 31.184.235.194:6892 | udp | |
| AM | 31.184.235.195:6892 | udp | |
| AM | 31.184.235.196:6892 | udp | |
| AM | 31.184.235.197:6892 | udp | |
| AM | 31.184.235.198:6892 | udp | |
| AM | 31.184.235.199:6892 | udp | |
| AM | 31.184.235.200:6892 | udp | |
| AM | 31.184.235.201:6892 | udp | |
| AM | 31.184.235.202:6892 | udp | |
| AM | 31.184.235.203:6892 | udp | |
| AM | 31.184.235.204:6892 | udp | |
| AM | 31.184.235.205:6892 | udp | |
| AM | 31.184.235.206:6892 | udp | |
| AM | 31.184.235.207:6892 | udp | |
| AM | 31.184.235.208:6892 | udp | |
| AM | 31.184.235.209:6892 | udp | |
| AM | 31.184.235.210:6892 | udp | |
| AM | 31.184.235.211:6892 | udp | |
| AM | 31.184.235.212:6892 | udp | |
| AM | 31.184.235.213:6892 | udp | |
| AM | 31.184.235.214:6892 | udp | |
| AM | 31.184.235.215:6892 | udp | |
| AM | 31.184.235.216:6892 | udp | |
| AM | 31.184.235.217:6892 | udp | |
| AM | 31.184.235.218:6892 | udp | |
| AM | 31.184.235.219:6892 | udp | |
| AM | 31.184.235.220:6892 | udp | |
| AM | 31.184.235.221:6892 | udp | |
| AM | 31.184.235.222:6892 | udp | |
| AM | 31.184.235.223:6892 | udp | |
| AM | 31.184.235.224:6892 | udp | |
| AM | 31.184.235.225:6892 | udp | |
| AM | 31.184.235.226:6892 | udp | |
| AM | 31.184.235.227:6892 | udp | |
| AM | 31.184.235.228:6892 | udp | |
| AM | 31.184.235.229:6892 | udp | |
| AM | 31.184.235.230:6892 | udp | |
| AM | 31.184.235.231:6892 | udp | |
| AM | 31.184.235.232:6892 | udp | |
| AM | 31.184.235.233:6892 | udp | |
| AM | 31.184.235.234:6892 | udp | |
| AM | 31.184.235.235:6892 | udp | |
| AM | 31.184.235.236:6892 | udp | |
| AM | 31.184.235.237:6892 | udp | |
| AM | 31.184.235.238:6892 | udp | |
| AM | 31.184.235.239:6892 | udp | |
| AM | 31.184.235.240:6892 | udp | |
| AM | 31.184.235.241:6892 | udp | |
| AM | 31.184.235.242:6892 | udp | |
| AM | 31.184.235.243:6892 | udp | |
| AM | 31.184.235.244:6892 | udp | |
| AM | 31.184.235.245:6892 | udp | |
| AM | 31.184.235.246:6892 | udp | |
| AM | 31.184.235.247:6892 | udp | |
| AM | 31.184.235.248:6892 | udp | |
| AM | 31.184.235.249:6892 | udp | |
| AM | 31.184.235.250:6892 | udp | |
| AM | 31.184.235.251:6892 | udp | |
| AM | 31.184.235.252:6892 | udp | |
| AM | 31.184.235.253:6892 | udp | |
| AM | 31.184.235.254:6892 | udp | |
| AM | 31.184.235.255:6892 | udp | |
| AM | 31.184.234.0:6892 | udp | |
| AM | 31.184.234.1:6892 | udp | |
| AM | 31.184.234.2:6892 | udp | |
| AM | 31.184.234.3:6892 | udp | |
| AM | 31.184.234.4:6892 | udp | |
| AM | 31.184.234.5:6892 | udp | |
| AM | 31.184.234.6:6892 | udp | |
| AM | 31.184.234.7:6892 | udp | |
| AM | 31.184.234.8:6892 | udp | |
| AM | 31.184.234.9:6892 | udp | |
| AM | 31.184.234.10:6892 | udp | |
| AM | 31.184.234.11:6892 | udp | |
| AM | 31.184.234.12:6892 | udp | |
| AM | 31.184.234.13:6892 | udp | |
| AM | 31.184.234.14:6892 | udp | |
| AM | 31.184.234.15:6892 | udp | |
| AM | 31.184.234.16:6892 | udp | |
| AM | 31.184.234.17:6892 | udp | |
| AM | 31.184.234.18:6892 | udp | |
| AM | 31.184.234.19:6892 | udp | |
| AM | 31.184.234.20:6892 | udp | |
| AM | 31.184.234.21:6892 | udp | |
| AM | 31.184.234.22:6892 | udp | |
| AM | 31.184.234.23:6892 | udp | |
| AM | 31.184.234.24:6892 | udp | |
| AM | 31.184.234.25:6892 | udp | |
| AM | 31.184.234.26:6892 | udp | |
| AM | 31.184.234.27:6892 | udp | |
| AM | 31.184.234.28:6892 | udp | |
| AM | 31.184.234.29:6892 | udp | |
| AM | 31.184.234.30:6892 | udp | |
| AM | 31.184.234.31:6892 | udp | |
| AM | 31.184.234.32:6892 | udp | |
| AM | 31.184.234.33:6892 | udp | |
| AM | 31.184.234.34:6892 | udp | |
| AM | 31.184.234.35:6892 | udp | |
| AM | 31.184.234.36:6892 | udp | |
| AM | 31.184.234.37:6892 | udp | |
| AM | 31.184.234.38:6892 | udp | |
| AM | 31.184.234.39:6892 | udp | |
| AM | 31.184.234.40:6892 | udp | |
| AM | 31.184.234.41:6892 | udp | |
| AM | 31.184.234.42:6892 | udp | |
| AM | 31.184.234.43:6892 | udp | |
| AM | 31.184.234.44:6892 | udp | |
| AM | 31.184.234.45:6892 | udp | |
| AM | 31.184.234.46:6892 | udp | |
| AM | 31.184.234.47:6892 | udp | |
| AM | 31.184.234.48:6892 | udp | |
| AM | 31.184.234.49:6892 | udp | |
| AM | 31.184.234.50:6892 | udp | |
| AM | 31.184.234.51:6892 | udp | |
| AM | 31.184.234.52:6892 | udp | |
| AM | 31.184.234.53:6892 | udp | |
| AM | 31.184.234.54:6892 | udp | |
| AM | 31.184.234.55:6892 | udp | |
| AM | 31.184.234.56:6892 | udp | |
| AM | 31.184.234.57:6892 | udp | |
| AM | 31.184.234.58:6892 | udp | |
| AM | 31.184.234.59:6892 | udp | |
| AM | 31.184.234.60:6892 | udp | |
| AM | 31.184.234.61:6892 | udp | |
| AM | 31.184.234.62:6892 | udp | |
| AM | 31.184.234.63:6892 | udp | |
| AM | 31.184.234.64:6892 | udp | |
| AM | 31.184.234.65:6892 | udp | |
| AM | 31.184.234.66:6892 | udp | |
| AM | 31.184.234.67:6892 | udp | |
| AM | 31.184.234.68:6892 | udp | |
| AM | 31.184.234.69:6892 | udp | |
| AM | 31.184.234.70:6892 | udp | |
| AM | 31.184.234.71:6892 | udp | |
| AM | 31.184.234.72:6892 | udp | |
| AM | 31.184.234.73:6892 | udp | |
| AM | 31.184.234.74:6892 | udp | |
| AM | 31.184.234.75:6892 | udp | |
| AM | 31.184.234.76:6892 | udp | |
| AM | 31.184.234.77:6892 | udp | |
| AM | 31.184.234.78:6892 | udp | |
| AM | 31.184.234.79:6892 | udp | |
| AM | 31.184.234.80:6892 | udp | |
| AM | 31.184.234.81:6892 | udp | |
| AM | 31.184.234.82:6892 | udp | |
| AM | 31.184.234.83:6892 | udp | |
| AM | 31.184.234.84:6892 | udp | |
| AM | 31.184.234.85:6892 | udp | |
| AM | 31.184.234.86:6892 | udp | |
| AM | 31.184.234.87:6892 | udp | |
| AM | 31.184.234.88:6892 | udp | |
| AM | 31.184.234.89:6892 | udp | |
| AM | 31.184.234.90:6892 | udp | |
| AM | 31.184.234.91:6892 | udp | |
| AM | 31.184.234.92:6892 | udp | |
| AM | 31.184.234.93:6892 | udp | |
| AM | 31.184.234.94:6892 | udp | |
| AM | 31.184.234.95:6892 | udp | |
| AM | 31.184.234.96:6892 | udp | |
| AM | 31.184.234.97:6892 | udp | |
| AM | 31.184.234.98:6892 | udp | |
| AM | 31.184.234.99:6892 | udp | |
| AM | 31.184.234.100:6892 | udp | |
| AM | 31.184.234.101:6892 | udp | |
| AM | 31.184.234.102:6892 | udp | |
| AM | 31.184.234.103:6892 | udp | |
| AM | 31.184.234.104:6892 | udp | |
| AM | 31.184.234.105:6892 | udp | |
| AM | 31.184.234.106:6892 | udp | |
| AM | 31.184.234.107:6892 | udp | |
| AM | 31.184.234.108:6892 | udp | |
| AM | 31.184.234.109:6892 | udp | |
| AM | 31.184.234.110:6892 | udp | |
| AM | 31.184.234.111:6892 | udp | |
| AM | 31.184.234.112:6892 | udp | |
| AM | 31.184.234.113:6892 | udp | |
| AM | 31.184.234.114:6892 | udp | |
| AM | 31.184.234.115:6892 | udp | |
| AM | 31.184.234.116:6892 | udp | |
| AM | 31.184.234.117:6892 | udp | |
| AM | 31.184.234.118:6892 | udp | |
| AM | 31.184.234.119:6892 | udp | |
| AM | 31.184.234.120:6892 | udp | |
| AM | 31.184.234.121:6892 | udp | |
| AM | 31.184.234.122:6892 | udp | |
| AM | 31.184.234.123:6892 | udp | |
| AM | 31.184.234.124:6892 | udp | |
| AM | 31.184.234.125:6892 | udp | |
| AM | 31.184.234.126:6892 | udp | |
| AM | 31.184.234.127:6892 | udp | |
| AM | 31.184.234.128:6892 | udp | |
| AM | 31.184.234.129:6892 | udp | |
| AM | 31.184.234.130:6892 | udp | |
| AM | 31.184.234.131:6892 | udp | |
| AM | 31.184.234.132:6892 | udp | |
| AM | 31.184.234.133:6892 | udp | |
| AM | 31.184.234.134:6892 | udp | |
| AM | 31.184.234.135:6892 | udp | |
| AM | 31.184.234.136:6892 | udp | |
| AM | 31.184.234.137:6892 | udp | |
| AM | 31.184.234.138:6892 | udp | |
| AM | 31.184.234.139:6892 | udp | |
| AM | 31.184.234.140:6892 | udp | |
| AM | 31.184.234.141:6892 | udp | |
| AM | 31.184.234.142:6892 | udp | |
| AM | 31.184.234.143:6892 | udp | |
| AM | 31.184.234.144:6892 | udp | |
| AM | 31.184.234.145:6892 | udp | |
| AM | 31.184.234.146:6892 | udp | |
| AM | 31.184.234.147:6892 | udp | |
| AM | 31.184.234.148:6892 | udp | |
| AM | 31.184.234.149:6892 | udp | |
| AM | 31.184.234.150:6892 | udp | |
| AM | 31.184.234.151:6892 | udp | |
| AM | 31.184.234.152:6892 | udp | |
| AM | 31.184.234.153:6892 | udp | |
| AM | 31.184.234.154:6892 | udp | |
| AM | 31.184.234.155:6892 | udp | |
| AM | 31.184.234.156:6892 | udp | |
| AM | 31.184.234.157:6892 | udp | |
| AM | 31.184.234.158:6892 | udp | |
| AM | 31.184.234.159:6892 | udp | |
| AM | 31.184.234.160:6892 | udp | |
| AM | 31.184.234.161:6892 | udp | |
| AM | 31.184.234.162:6892 | udp | |
| AM | 31.184.234.163:6892 | udp | |
| AM | 31.184.234.164:6892 | udp | |
| AM | 31.184.234.165:6892 | udp | |
| AM | 31.184.234.166:6892 | udp | |
| AM | 31.184.234.167:6892 | udp | |
| AM | 31.184.234.168:6892 | udp | |
| AM | 31.184.234.169:6892 | udp | |
| AM | 31.184.234.170:6892 | udp | |
| AM | 31.184.234.171:6892 | udp | |
| AM | 31.184.234.172:6892 | udp | |
| AM | 31.184.234.173:6892 | udp | |
| AM | 31.184.234.174:6892 | udp | |
| AM | 31.184.234.175:6892 | udp | |
| AM | 31.184.234.176:6892 | udp | |
| AM | 31.184.234.177:6892 | udp | |
| AM | 31.184.234.178:6892 | udp | |
| AM | 31.184.234.179:6892 | udp | |
| AM | 31.184.234.180:6892 | udp | |
| AM | 31.184.234.181:6892 | udp | |
| AM | 31.184.234.182:6892 | udp | |
| AM | 31.184.234.183:6892 | udp | |
| AM | 31.184.234.184:6892 | udp | |
| AM | 31.184.234.185:6892 | udp | |
| AM | 31.184.234.186:6892 | udp | |
| AM | 31.184.234.187:6892 | udp | |
| AM | 31.184.234.188:6892 | udp | |
| AM | 31.184.234.189:6892 | udp | |
| AM | 31.184.234.190:6892 | udp | |
| AM | 31.184.234.191:6892 | udp | |
| AM | 31.184.234.192:6892 | udp | |
| AM | 31.184.234.193:6892 | udp | |
| AM | 31.184.234.194:6892 | udp | |
| AM | 31.184.234.195:6892 | udp | |
| AM | 31.184.234.196:6892 | udp | |
| AM | 31.184.234.197:6892 | udp | |
| AM | 31.184.234.198:6892 | udp | |
| AM | 31.184.234.199:6892 | udp | |
| AM | 31.184.234.200:6892 | udp | |
| AM | 31.184.234.201:6892 | udp | |
| AM | 31.184.234.202:6892 | udp | |
| AM | 31.184.234.203:6892 | udp | |
| AM | 31.184.234.204:6892 | udp | |
| AM | 31.184.234.205:6892 | udp | |
| AM | 31.184.234.206:6892 | udp | |
| AM | 31.184.234.207:6892 | udp | |
| AM | 31.184.234.208:6892 | udp | |
| AM | 31.184.234.209:6892 | udp | |
| AM | 31.184.234.210:6892 | udp | |
| AM | 31.184.234.211:6892 | udp | |
| AM | 31.184.234.212:6892 | udp | |
| AM | 31.184.234.213:6892 | udp | |
| AM | 31.184.234.214:6892 | udp | |
| AM | 31.184.234.215:6892 | udp | |
| AM | 31.184.234.216:6892 | udp | |
| AM | 31.184.234.217:6892 | udp | |
| AM | 31.184.234.218:6892 | udp | |
| AM | 31.184.234.219:6892 | udp | |
| AM | 31.184.234.220:6892 | udp | |
| AM | 31.184.234.221:6892 | udp | |
| AM | 31.184.234.222:6892 | udp | |
| AM | 31.184.234.223:6892 | udp | |
| AM | 31.184.234.224:6892 | udp | |
| AM | 31.184.234.225:6892 | udp | |
| AM | 31.184.234.226:6892 | udp | |
| AM | 31.184.234.227:6892 | udp | |
| AM | 31.184.234.228:6892 | udp | |
| AM | 31.184.234.229:6892 | udp | |
| AM | 31.184.234.230:6892 | udp | |
| AM | 31.184.234.231:6892 | udp | |
| AM | 31.184.234.232:6892 | udp | |
| AM | 31.184.234.233:6892 | udp | |
| AM | 31.184.234.234:6892 | udp | |
| AM | 31.184.234.235:6892 | udp | |
| AM | 31.184.234.236:6892 | udp | |
| AM | 31.184.234.237:6892 | udp | |
| AM | 31.184.234.238:6892 | udp | |
| AM | 31.184.234.239:6892 | udp | |
| AM | 31.184.234.240:6892 | udp | |
| AM | 31.184.234.241:6892 | udp | |
| AM | 31.184.234.242:6892 | udp | |
| AM | 31.184.234.243:6892 | udp | |
| AM | 31.184.234.244:6892 | udp | |
| AM | 31.184.234.245:6892 | udp | |
| AM | 31.184.234.246:6892 | udp | |
| AM | 31.184.234.247:6892 | udp | |
| AM | 31.184.234.248:6892 | udp | |
| AM | 31.184.234.249:6892 | udp | |
| AM | 31.184.234.250:6892 | udp | |
| AM | 31.184.234.251:6892 | udp | |
| AM | 31.184.234.252:6892 | udp | |
| AM | 31.184.234.253:6892 | udp | |
| AM | 31.184.234.254:6892 | udp | |
| AM | 31.184.234.255:6892 | udp | |
| AM | 31.184.235.0:6892 | udp | |
| AM | 31.184.235.1:6892 | udp | |
| AM | 31.184.235.2:6892 | udp | |
| AM | 31.184.235.3:6892 | udp | |
| AM | 31.184.235.4:6892 | udp | |
| AM | 31.184.235.5:6892 | udp | |
| AM | 31.184.235.6:6892 | udp | |
| AM | 31.184.235.7:6892 | udp | |
| AM | 31.184.235.8:6892 | udp | |
| AM | 31.184.235.9:6892 | udp | |
| AM | 31.184.235.10:6892 | udp | |
| AM | 31.184.235.11:6892 | udp | |
| AM | 31.184.235.12:6892 | udp | |
| AM | 31.184.235.13:6892 | udp | |
| AM | 31.184.235.14:6892 | udp | |
| AM | 31.184.235.15:6892 | udp | |
| AM | 31.184.235.16:6892 | udp | |
| AM | 31.184.235.17:6892 | udp | |
| AM | 31.184.235.18:6892 | udp | |
| AM | 31.184.235.19:6892 | udp | |
| AM | 31.184.235.20:6892 | udp | |
| AM | 31.184.235.21:6892 | udp | |
| AM | 31.184.235.22:6892 | udp | |
| AM | 31.184.235.23:6892 | udp | |
| AM | 31.184.235.24:6892 | udp | |
| AM | 31.184.235.25:6892 | udp | |
| AM | 31.184.235.26:6892 | udp | |
| AM | 31.184.235.27:6892 | udp | |
| AM | 31.184.235.28:6892 | udp | |
| AM | 31.184.235.29:6892 | udp | |
| AM | 31.184.235.30:6892 | udp | |
| AM | 31.184.235.31:6892 | udp | |
| AM | 31.184.235.32:6892 | udp | |
| AM | 31.184.235.33:6892 | udp | |
| AM | 31.184.235.34:6892 | udp | |
| AM | 31.184.235.35:6892 | udp | |
| AM | 31.184.235.36:6892 | udp | |
| AM | 31.184.235.37:6892 | udp | |
| AM | 31.184.235.38:6892 | udp | |
| AM | 31.184.235.39:6892 | udp | |
| AM | 31.184.235.40:6892 | udp | |
| AM | 31.184.235.41:6892 | udp | |
| AM | 31.184.235.42:6892 | udp | |
| AM | 31.184.235.43:6892 | udp | |
| AM | 31.184.235.44:6892 | udp | |
| AM | 31.184.235.45:6892 | udp | |
| AM | 31.184.235.46:6892 | udp | |
| AM | 31.184.235.47:6892 | udp | |
| AM | 31.184.235.48:6892 | udp | |
| AM | 31.184.235.49:6892 | udp | |
| AM | 31.184.235.50:6892 | udp | |
| AM | 31.184.235.51:6892 | udp | |
| AM | 31.184.235.52:6892 | udp | |
| AM | 31.184.235.53:6892 | udp | |
| AM | 31.184.235.54:6892 | udp | |
| AM | 31.184.235.55:6892 | udp | |
| AM | 31.184.235.56:6892 | udp | |
| AM | 31.184.235.57:6892 | udp | |
| AM | 31.184.235.58:6892 | udp | |
| AM | 31.184.235.59:6892 | udp | |
| AM | 31.184.235.60:6892 | udp | |
| AM | 31.184.235.61:6892 | udp | |
| AM | 31.184.235.62:6892 | udp | |
| AM | 31.184.235.63:6892 | udp | |
| AM | 31.184.235.64:6892 | udp | |
| AM | 31.184.235.65:6892 | udp | |
| AM | 31.184.235.66:6892 | udp | |
| AM | 31.184.235.67:6892 | udp | |
| AM | 31.184.235.68:6892 | udp | |
| AM | 31.184.235.69:6892 | udp | |
| AM | 31.184.235.70:6892 | udp | |
| AM | 31.184.235.71:6892 | udp | |
| AM | 31.184.235.72:6892 | udp | |
| AM | 31.184.235.73:6892 | udp | |
| AM | 31.184.235.74:6892 | udp | |
| AM | 31.184.235.75:6892 | udp | |
| AM | 31.184.235.76:6892 | udp | |
| AM | 31.184.235.77:6892 | udp | |
| AM | 31.184.235.78:6892 | udp | |
| AM | 31.184.235.79:6892 | udp | |
| AM | 31.184.235.80:6892 | udp | |
| AM | 31.184.235.81:6892 | udp | |
| AM | 31.184.235.82:6892 | udp | |
| AM | 31.184.235.83:6892 | udp | |
| AM | 31.184.235.84:6892 | udp | |
| AM | 31.184.235.85:6892 | udp | |
| AM | 31.184.235.86:6892 | udp | |
| AM | 31.184.235.87:6892 | udp | |
| AM | 31.184.235.88:6892 | udp | |
| AM | 31.184.235.89:6892 | udp | |
| AM | 31.184.235.90:6892 | udp | |
| AM | 31.184.235.91:6892 | udp | |
| AM | 31.184.235.92:6892 | udp | |
| AM | 31.184.235.93:6892 | udp | |
| AM | 31.184.235.94:6892 | udp | |
| AM | 31.184.235.95:6892 | udp | |
| AM | 31.184.235.96:6892 | udp | |
| AM | 31.184.235.97:6892 | udp | |
| AM | 31.184.235.98:6892 | udp | |
| AM | 31.184.235.99:6892 | udp | |
| AM | 31.184.235.100:6892 | udp | |
| AM | 31.184.235.101:6892 | udp | |
| AM | 31.184.235.102:6892 | udp | |
| AM | 31.184.235.103:6892 | udp | |
| AM | 31.184.235.104:6892 | udp | |
| AM | 31.184.235.105:6892 | udp | |
| AM | 31.184.235.106:6892 | udp | |
| AM | 31.184.235.107:6892 | udp | |
| AM | 31.184.235.108:6892 | udp | |
| AM | 31.184.235.109:6892 | udp | |
| AM | 31.184.235.110:6892 | udp | |
| AM | 31.184.235.111:6892 | udp | |
| AM | 31.184.235.112:6892 | udp | |
| AM | 31.184.235.113:6892 | udp | |
| AM | 31.184.235.114:6892 | udp | |
| AM | 31.184.235.115:6892 | udp | |
| AM | 31.184.235.116:6892 | udp | |
| AM | 31.184.235.117:6892 | udp | |
| AM | 31.184.235.118:6892 | udp | |
| AM | 31.184.235.119:6892 | udp | |
| AM | 31.184.235.120:6892 | udp | |
| AM | 31.184.235.121:6892 | udp | |
| AM | 31.184.235.122:6892 | udp | |
| AM | 31.184.235.123:6892 | udp | |
| AM | 31.184.235.124:6892 | udp | |
| AM | 31.184.235.125:6892 | udp | |
| AM | 31.184.235.126:6892 | udp | |
| AM | 31.184.235.127:6892 | udp | |
| AM | 31.184.235.128:6892 | udp | |
| AM | 31.184.235.129:6892 | udp | |
| AM | 31.184.235.130:6892 | udp | |
| AM | 31.184.235.131:6892 | udp | |
| AM | 31.184.235.132:6892 | udp | |
| AM | 31.184.235.133:6892 | udp | |
| AM | 31.184.235.134:6892 | udp | |
| AM | 31.184.235.135:6892 | udp | |
| AM | 31.184.235.136:6892 | udp | |
| AM | 31.184.235.137:6892 | udp | |
| AM | 31.184.235.138:6892 | udp | |
| AM | 31.184.235.139:6892 | udp | |
| AM | 31.184.235.140:6892 | udp | |
| AM | 31.184.235.141:6892 | udp | |
| AM | 31.184.235.142:6892 | udp | |
| AM | 31.184.235.143:6892 | udp | |
| AM | 31.184.235.144:6892 | udp | |
| AM | 31.184.235.145:6892 | udp | |
| AM | 31.184.235.146:6892 | udp | |
| AM | 31.184.235.147:6892 | udp | |
| AM | 31.184.235.148:6892 | udp | |
| AM | 31.184.235.149:6892 | udp | |
| AM | 31.184.235.150:6892 | udp | |
| AM | 31.184.235.151:6892 | udp | |
| AM | 31.184.235.152:6892 | udp | |
| AM | 31.184.235.153:6892 | udp | |
| AM | 31.184.235.154:6892 | udp | |
| AM | 31.184.235.155:6892 | udp | |
| AM | 31.184.235.156:6892 | udp | |
| AM | 31.184.235.157:6892 | udp | |
| AM | 31.184.235.158:6892 | udp | |
| AM | 31.184.235.159:6892 | udp | |
| AM | 31.184.235.160:6892 | udp | |
| AM | 31.184.235.161:6892 | udp | |
| AM | 31.184.235.162:6892 | udp | |
| AM | 31.184.235.163:6892 | udp | |
| AM | 31.184.235.164:6892 | udp | |
| AM | 31.184.235.165:6892 | udp | |
| AM | 31.184.235.166:6892 | udp | |
| AM | 31.184.235.167:6892 | udp | |
| AM | 31.184.235.168:6892 | udp | |
| AM | 31.184.235.169:6892 | udp | |
| AM | 31.184.235.170:6892 | udp | |
| AM | 31.184.235.171:6892 | udp | |
| AM | 31.184.235.172:6892 | udp | |
| AM | 31.184.235.173:6892 | udp | |
| AM | 31.184.235.174:6892 | udp | |
| AM | 31.184.235.175:6892 | udp | |
| AM | 31.184.235.176:6892 | udp | |
| AM | 31.184.235.177:6892 | udp | |
| AM | 31.184.235.178:6892 | udp | |
| AM | 31.184.235.179:6892 | udp | |
| AM | 31.184.235.180:6892 | udp | |
| AM | 31.184.235.181:6892 | udp | |
| AM | 31.184.235.182:6892 | udp | |
| AM | 31.184.235.183:6892 | udp | |
| AM | 31.184.235.184:6892 | udp | |
| AM | 31.184.235.185:6892 | udp | |
| AM | 31.184.235.186:6892 | udp | |
| AM | 31.184.235.187:6892 | udp | |
| AM | 31.184.235.188:6892 | udp | |
| AM | 31.184.235.189:6892 | udp | |
| AM | 31.184.235.190:6892 | udp | |
| AM | 31.184.235.191:6892 | udp | |
| AM | 31.184.235.192:6892 | udp | |
| AM | 31.184.235.193:6892 | udp | |
| AM | 31.184.235.194:6892 | udp | |
| AM | 31.184.235.195:6892 | udp | |
| AM | 31.184.235.196:6892 | udp | |
| AM | 31.184.235.197:6892 | udp | |
| AM | 31.184.235.198:6892 | udp | |
| AM | 31.184.235.199:6892 | udp | |
| AM | 31.184.235.200:6892 | udp | |
| AM | 31.184.235.201:6892 | udp | |
| AM | 31.184.235.202:6892 | udp | |
| AM | 31.184.235.203:6892 | udp | |
| AM | 31.184.235.204:6892 | udp | |
| AM | 31.184.235.205:6892 | udp | |
| AM | 31.184.235.206:6892 | udp | |
| AM | 31.184.235.207:6892 | udp | |
| AM | 31.184.235.208:6892 | udp | |
| AM | 31.184.235.209:6892 | udp | |
| AM | 31.184.235.210:6892 | udp | |
| AM | 31.184.235.211:6892 | udp | |
| AM | 31.184.235.212:6892 | udp | |
| AM | 31.184.235.213:6892 | udp | |
| AM | 31.184.235.214:6892 | udp | |
| AM | 31.184.235.215:6892 | udp | |
| AM | 31.184.235.216:6892 | udp | |
| AM | 31.184.235.217:6892 | udp | |
| AM | 31.184.235.218:6892 | udp | |
| AM | 31.184.235.219:6892 | udp | |
| AM | 31.184.235.220:6892 | udp | |
| AM | 31.184.235.221:6892 | udp | |
| AM | 31.184.235.222:6892 | udp | |
| AM | 31.184.235.223:6892 | udp | |
| AM | 31.184.235.224:6892 | udp | |
| AM | 31.184.235.225:6892 | udp | |
| AM | 31.184.235.226:6892 | udp | |
| AM | 31.184.235.227:6892 | udp | |
| AM | 31.184.235.228:6892 | udp | |
| AM | 31.184.235.229:6892 | udp | |
| AM | 31.184.235.230:6892 | udp | |
| AM | 31.184.235.231:6892 | udp | |
| AM | 31.184.235.232:6892 | udp | |
| AM | 31.184.235.233:6892 | udp | |
| AM | 31.184.235.234:6892 | udp | |
| AM | 31.184.235.235:6892 | udp | |
| AM | 31.184.235.236:6892 | udp | |
| AM | 31.184.235.237:6892 | udp | |
| AM | 31.184.235.238:6892 | udp | |
| AM | 31.184.235.239:6892 | udp | |
| AM | 31.184.235.240:6892 | udp | |
| AM | 31.184.235.241:6892 | udp | |
| AM | 31.184.235.242:6892 | udp | |
| AM | 31.184.235.243:6892 | udp | |
| AM | 31.184.235.244:6892 | udp | |
| AM | 31.184.235.245:6892 | udp | |
| AM | 31.184.235.246:6892 | udp | |
| AM | 31.184.235.247:6892 | udp | |
| AM | 31.184.235.248:6892 | udp | |
| AM | 31.184.235.249:6892 | udp | |
| AM | 31.184.235.250:6892 | udp | |
| AM | 31.184.235.251:6892 | udp | |
| AM | 31.184.235.252:6892 | udp | |
| AM | 31.184.235.253:6892 | udp | |
| AM | 31.184.235.254:6892 | udp | |
| AM | 31.184.235.255:6892 | udp | |
| US | 8.8.8.8:53 | xrhwryizf5mui7a5.uw9x7z.bid | udp |
| US | 8.8.8.8:53 | btc.blockr.io | udp |
| US | 8.8.8.8:53 | api.blockcypher.com | udp |
| US | 104.20.98.10:80 | api.blockcypher.com | tcp |
| US | 8.8.8.8:53 | chain.so | udp |
| US | 104.22.64.108:443 | chain.so | tcp |
Files
\Users\Admin\AppData\Local\Temp\nso149C.tmp\System.dll
| MD5 | 3e6bf00b3ac976122f982ae2aadb1c51 |
| SHA1 | caab188f7fdc84d3fdcb2922edeeb5ed576bd31d |
| SHA256 | 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe |
| SHA512 | 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706 |
memory/2928-22-0x00000000003C0000-0x00000000003F0000-memory.dmp
memory/2668-24-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-26-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-27-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-32-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-33-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2928-34-0x00000000003C0000-0x00000000003F0000-memory.dmp
memory/2668-38-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-37-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta
| MD5 | 6923d54ebd93f4268d680d65fd8ea11d |
| SHA1 | a2cf1ea9453c50b9aca6ac9c6184bdf26a4ffed7 |
| SHA256 | 367d3d4b54d60e07ad7670dd2e016969beb4152923843aa12f995d90c6ff29d2 |
| SHA512 | 24b177219eea7e292b6a9a081d1c609c1b669fac40a31f520a4993fbf7fd109edbe82e216ae47e546a24333b81a15b61fb483a9acd6a5c2ca24961661cd43e54 |
memory/2668-339-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-350-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-353-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-356-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-365-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-362-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-359-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-368-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-371-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-374-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-377-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-380-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-383-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-386-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-389-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-392-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-395-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-402-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2668-411-0x0000000000400000-0x0000000000431000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win7-20240611-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 228
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
57s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2520 wrote to memory of 4856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2520 wrote to memory of 4856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2520 wrote to memory of 4856 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4856 -ip 4856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 636
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win7-20240611-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FancyZoom.js
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win7-20231129-en
Max time kernel
119s
Max time network
126s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\contact-us.js
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\contact-us.js
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win7-20240611-en
Max time kernel
119s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1992 wrote to memory of 1036 | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 1992 wrote to memory of 1036 | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 1992 wrote to memory of 1036 | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 1992 wrote to memory of 1036 | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
Files
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 75c84be6edeb473e9b347c25e79e56c1 |
| SHA1 | 8e8194182fabd97a406ab84cf7b0a5b7eaead253 |
| SHA256 | 0fa917124981b68e4a70be84598653878f56914d3390f176034b53230d9ede2c |
| SHA512 | b66541b2481b0313e85f99896b94320a4984af77356a8c2c88d47dfa178d55a04716371f2b8a94b728886ab30c6d55655a99ea07329031fb7b5ac3e6793c048a |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
159s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4040 wrote to memory of 2512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4040 wrote to memory of 2512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4040 wrote to memory of 2512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2512 -ip 2512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 88.221.83.219:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.126.19.2.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 224
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-16 23:10
Reported
2024-06-16 23:13
Platform
win7-20240611-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 244