Malware Analysis Report

2025-08-05 14:33

Sample ID 221127-abyz2aee29
Target e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9
SHA256 e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9

Threat Level: Known bad

The file e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-27 00:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-27 00:02

Reported

2022-11-27 17:41

Platform

win7-20221111-en

Max time kernel

191s

Max time network

197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe" C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\ISS Manager\issmgr.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe N/A
File created C:\Program Files (x86)\ISS Manager\issmgr.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 576 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
PID 576 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
PID 576 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
PID 576 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
PID 576 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
PID 576 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
PID 576 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
PID 576 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
PID 576 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe

"C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe"

C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe

"C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp

Files

memory/576-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

memory/576-55-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/576-56-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/576-57-0x00000000020E6000-0x00000000020F7000-memory.dmp

memory/668-58-0x0000000000080000-0x00000000000DA000-memory.dmp

memory/668-59-0x0000000000080000-0x00000000000DA000-memory.dmp

memory/668-61-0x0000000000080000-0x00000000000DA000-memory.dmp

memory/668-62-0x0000000000080000-0x00000000000DA000-memory.dmp

memory/668-65-0x000000000041E792-mapping.dmp

memory/668-66-0x0000000000080000-0x00000000000DA000-memory.dmp

memory/668-67-0x0000000000080000-0x00000000000DA000-memory.dmp

memory/668-71-0x0000000000080000-0x00000000000DA000-memory.dmp

memory/668-74-0x0000000000080000-0x00000000000DA000-memory.dmp

memory/576-76-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/576-77-0x00000000020E6000-0x00000000020F7000-memory.dmp

memory/668-78-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/668-79-0x0000000074610000-0x0000000074BBB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-27 00:02

Reported

2022-11-27 17:40

Platform

win10v2004-20220901-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
PID 3704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
PID 3704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
PID 3704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
PID 3704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
PID 3704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
PID 3704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe
PID 3704 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe

"C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe"

C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe

"C:\Users\Admin\AppData\Local\Temp\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe"

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 93.184.220.29:80 tcp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 20.189.173.15:443 tcp
N/A 2.18.109.224:443 tcp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp
N/A 8.8.4.4:53 funnypic.dyndns-remote.com udp
N/A 8.8.8.8:53 funnypic.dyndns-remote.com udp

Files

memory/3704-132-0x00000000753C0000-0x0000000075971000-memory.dmp

memory/3704-133-0x00000000753C0000-0x0000000075971000-memory.dmp

memory/4956-134-0x0000000000000000-mapping.dmp

memory/4956-135-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\e5a08c20ffae6658a8f4e91c1154b10abe7eb7bf1e6b0cfd33eed75713a7e4e9.exe.log

MD5 3bc2150211e33cd343b025da5a9b1457
SHA1 a180ee6e62a496a226590390651a1d3708c7b89c
SHA256 ff2e05f53cc9b927bed429bb2df53290223b459c49be1bea6b0ef13c52903787
SHA512 e192903a8d0855203615c2ddd60c45c791492327fcd8a025e1dd1744cc2a526a4e90b8619e19b170f3ed808f3cbe4c839dc86fc70d97c5b0fb86ea529b78442c

memory/3704-137-0x00000000753C0000-0x0000000075971000-memory.dmp

memory/4956-138-0x00000000753C0000-0x0000000075971000-memory.dmp

memory/4956-139-0x00000000753C0000-0x0000000075971000-memory.dmp