Analysis Overview
SHA256
1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05
Threat Level: Known bad
The file 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05 was found to be: Known bad.
Malicious Activity Summary
Detects DLL dropped by Raspberry Robin.
RedLine
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Loads dropped DLL
Themida packer
Checks BIOS information in registry
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
GoLang User-Agent
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-26 00:26
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-26 00:26
Reported
2023-07-26 00:31
Platform
win7-20230712-en
Max time kernel
271s
Max time network
278s
Command Line
Signatures
Detects DLL dropped by Raspberry Robin.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Laplas Clipper
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1880 set thread context of 2888 | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe
"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rcam25.tuktuk.ug | udp |
| NL | 85.209.3.9:11290 | rcam25.tuktuk.ug | tcp |
| NL | 45.66.230.149:80 | 45.66.230.149 | tcp |
| US | 8.8.8.8:53 | lpls.tuktuk.ug | udp |
| NL | 45.66.230.149:80 | lpls.tuktuk.ug | tcp |
Files
memory/1880-54-0x00000000775D0000-0x0000000077617000-memory.dmp
memory/1880-53-0x0000000000C90000-0x0000000001342000-memory.dmp
memory/1880-59-0x00000000775D0000-0x0000000077617000-memory.dmp
memory/1880-58-0x0000000076320000-0x0000000076430000-memory.dmp
memory/1880-60-0x0000000076320000-0x0000000076430000-memory.dmp
memory/1880-61-0x0000000076320000-0x0000000076430000-memory.dmp
memory/1880-62-0x00000000775D0000-0x0000000077617000-memory.dmp
memory/1880-63-0x0000000077B30000-0x0000000077B32000-memory.dmp
memory/1880-64-0x0000000000C90000-0x0000000001342000-memory.dmp
memory/1880-66-0x00000000775D0000-0x0000000077617000-memory.dmp
memory/1880-65-0x0000000000C90000-0x0000000001342000-memory.dmp
memory/1880-68-0x0000000000500000-0x000000000051C000-memory.dmp
memory/1880-69-0x0000000000500000-0x0000000000515000-memory.dmp
memory/1880-70-0x0000000000500000-0x0000000000515000-memory.dmp
memory/1880-72-0x0000000000500000-0x0000000000515000-memory.dmp
memory/1880-74-0x0000000000500000-0x0000000000515000-memory.dmp
memory/1880-78-0x0000000000500000-0x0000000000515000-memory.dmp
memory/1880-76-0x0000000000500000-0x0000000000515000-memory.dmp
memory/1880-82-0x0000000000500000-0x0000000000515000-memory.dmp
memory/1880-80-0x0000000000500000-0x0000000000515000-memory.dmp
memory/1880-86-0x0000000000500000-0x0000000000515000-memory.dmp
memory/1880-84-0x0000000000500000-0x0000000000515000-memory.dmp
memory/1880-90-0x0000000000500000-0x0000000000515000-memory.dmp
memory/1880-88-0x0000000000500000-0x0000000000515000-memory.dmp
memory/1880-92-0x0000000000500000-0x0000000000515000-memory.dmp
memory/2888-93-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2888-95-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2888-97-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2888-99-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2888-101-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2888-102-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2888-104-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2888-106-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1880-108-0x0000000076320000-0x0000000076430000-memory.dmp
memory/1880-109-0x00000000775D0000-0x0000000077617000-memory.dmp
memory/1880-110-0x0000000000C90000-0x0000000001342000-memory.dmp
memory/2888-111-0x00000000003F0000-0x00000000003F6000-memory.dmp
memory/2888-112-0x0000000074B80000-0x000000007526E000-memory.dmp
memory/2888-113-0x0000000004A50000-0x0000000004A90000-memory.dmp
memory/2888-114-0x0000000074B80000-0x000000007526E000-memory.dmp
memory/2888-115-0x0000000004A50000-0x0000000004A90000-memory.dmp
\Users\Admin\AppData\Local\Temp\Notepod.exe
| MD5 | 18658dec7775fa53f081b892d6a2b027 |
| SHA1 | fa8d901c7aac70e2c37544883ce087e48c6302d1 |
| SHA256 | 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554 |
| SHA512 | cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d |
memory/2888-120-0x000000000B900000-0x000000000C085000-memory.dmp
memory/2128-122-0x00000000011A0000-0x0000000001925000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
| MD5 | 18658dec7775fa53f081b892d6a2b027 |
| SHA1 | fa8d901c7aac70e2c37544883ce087e48c6302d1 |
| SHA256 | 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554 |
| SHA512 | cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d |
memory/2888-123-0x0000000074B80000-0x000000007526E000-memory.dmp
memory/2128-124-0x0000000077940000-0x0000000077AE9000-memory.dmp
memory/2128-125-0x00000000011A0000-0x0000000001925000-memory.dmp
memory/2128-126-0x00000000011A0000-0x0000000001925000-memory.dmp
memory/2128-127-0x00000000011A0000-0x0000000001925000-memory.dmp
memory/2128-128-0x00000000011A0000-0x0000000001925000-memory.dmp
memory/2128-130-0x00000000011A0000-0x0000000001925000-memory.dmp
memory/2128-129-0x00000000011A0000-0x0000000001925000-memory.dmp
memory/2128-131-0x00000000011A0000-0x0000000001925000-memory.dmp
memory/2128-132-0x00000000011A0000-0x0000000001925000-memory.dmp
memory/2128-133-0x00000000011A0000-0x0000000001925000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
| MD5 | 18658dec7775fa53f081b892d6a2b027 |
| SHA1 | fa8d901c7aac70e2c37544883ce087e48c6302d1 |
| SHA256 | 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554 |
| SHA512 | cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d |
memory/2128-134-0x00000000011A0000-0x0000000001925000-memory.dmp
memory/2128-136-0x00000000011A0000-0x0000000001925000-memory.dmp
memory/2128-137-0x00000000011A0000-0x0000000001925000-memory.dmp
memory/2128-138-0x0000000077940000-0x0000000077AE9000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 2d0bf19ec79b0508cb7b51377a0b97ab |
| SHA1 | 0c3e52529dc41a8bd9bbed8ba64ce4786ed5a1d3 |
| SHA256 | 3021900afa22c1d9c677b4068252cd358c4b0680ffd845c7969f99eb1c5dbd11 |
| SHA512 | dd633eaa07f9a489ead949349b655a16bf32f5129f75796d90bb5125e9b4a7f5b9f90622bcf53408ac790b5bf6eabcec58c13a437c6dc8ca0714c4f1021b871a |
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 2d0bf19ec79b0508cb7b51377a0b97ab |
| SHA1 | 0c3e52529dc41a8bd9bbed8ba64ce4786ed5a1d3 |
| SHA256 | 3021900afa22c1d9c677b4068252cd358c4b0680ffd845c7969f99eb1c5dbd11 |
| SHA512 | dd633eaa07f9a489ead949349b655a16bf32f5129f75796d90bb5125e9b4a7f5b9f90622bcf53408ac790b5bf6eabcec58c13a437c6dc8ca0714c4f1021b871a |
memory/2128-143-0x0000000028610000-0x0000000028D95000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 2d0bf19ec79b0508cb7b51377a0b97ab |
| SHA1 | 0c3e52529dc41a8bd9bbed8ba64ce4786ed5a1d3 |
| SHA256 | 3021900afa22c1d9c677b4068252cd358c4b0680ffd845c7969f99eb1c5dbd11 |
| SHA512 | dd633eaa07f9a489ead949349b655a16bf32f5129f75796d90bb5125e9b4a7f5b9f90622bcf53408ac790b5bf6eabcec58c13a437c6dc8ca0714c4f1021b871a |
memory/1872-145-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/2128-144-0x00000000011A0000-0x0000000001925000-memory.dmp
memory/2128-146-0x0000000077940000-0x0000000077AE9000-memory.dmp
memory/1872-147-0x0000000077940000-0x0000000077AE9000-memory.dmp
memory/1872-148-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-149-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-150-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-151-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-152-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-153-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-154-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-155-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-156-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-157-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-158-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-159-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-160-0x0000000077940000-0x0000000077AE9000-memory.dmp
memory/1872-161-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-162-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-163-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-165-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-166-0x0000000000310000-0x0000000000A95000-memory.dmp
memory/1872-167-0x0000000000310000-0x0000000000A95000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-26 00:26
Reported
2023-07-26 00:31
Platform
win10-20230703-en
Max time kernel
128s
Max time network
257s
Command Line
Signatures
Detects DLL dropped by Raspberry Robin.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1720 set thread context of 5020 | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe
"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rcam25.tuktuk.ug | udp |
| NL | 85.209.3.9:11290 | rcam25.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 9.3.209.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
memory/1720-118-0x0000000000AD0000-0x0000000001182000-memory.dmp
memory/1720-119-0x0000000076780000-0x0000000076942000-memory.dmp
memory/1720-120-0x0000000076780000-0x0000000076942000-memory.dmp
memory/1720-121-0x0000000076780000-0x0000000076942000-memory.dmp
memory/1720-122-0x0000000076780000-0x0000000076942000-memory.dmp
memory/1720-123-0x00000000747C0000-0x0000000074890000-memory.dmp
memory/1720-127-0x0000000000AD0000-0x0000000001182000-memory.dmp
memory/1720-128-0x0000000005A90000-0x0000000005B2C000-memory.dmp
memory/1720-129-0x0000000000AD0000-0x0000000001182000-memory.dmp
memory/1720-130-0x0000000076780000-0x0000000076942000-memory.dmp
memory/1720-132-0x00000000747C0000-0x0000000074890000-memory.dmp
memory/1720-133-0x0000000003690000-0x00000000036AC000-memory.dmp
memory/1720-134-0x0000000003690000-0x00000000036A5000-memory.dmp
memory/1720-135-0x0000000003690000-0x00000000036A5000-memory.dmp
memory/1720-137-0x0000000003690000-0x00000000036A5000-memory.dmp
memory/1720-139-0x0000000003690000-0x00000000036A5000-memory.dmp
memory/1720-141-0x0000000003690000-0x00000000036A5000-memory.dmp
memory/1720-143-0x0000000003690000-0x00000000036A5000-memory.dmp
memory/1720-145-0x0000000003690000-0x00000000036A5000-memory.dmp
memory/1720-147-0x0000000003690000-0x00000000036A5000-memory.dmp
memory/1720-149-0x0000000003690000-0x00000000036A5000-memory.dmp
memory/1720-151-0x0000000003690000-0x00000000036A5000-memory.dmp
memory/1720-153-0x0000000003690000-0x00000000036A5000-memory.dmp
memory/1720-155-0x0000000003690000-0x00000000036A5000-memory.dmp
memory/1720-157-0x0000000003690000-0x00000000036A5000-memory.dmp
memory/5020-158-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1720-165-0x0000000000AD0000-0x0000000001182000-memory.dmp
memory/5020-166-0x0000000073CA0000-0x000000007438E000-memory.dmp
memory/5020-164-0x0000000006AD0000-0x0000000006AD6000-memory.dmp
memory/1720-167-0x0000000076780000-0x0000000076942000-memory.dmp
memory/1720-168-0x00000000747C0000-0x0000000074890000-memory.dmp
memory/5020-169-0x000000000EB70000-0x000000000F176000-memory.dmp
memory/5020-170-0x000000000E670000-0x000000000E77A000-memory.dmp
memory/5020-171-0x000000000E590000-0x000000000E5A2000-memory.dmp
memory/5020-172-0x00000000090D0000-0x00000000090E0000-memory.dmp
memory/5020-173-0x000000000E5F0000-0x000000000E62E000-memory.dmp
memory/5020-174-0x000000000E780000-0x000000000E7CB000-memory.dmp
memory/5020-179-0x000000000E920000-0x000000000E996000-memory.dmp
memory/5020-180-0x000000000EA40000-0x000000000EAD2000-memory.dmp
memory/5020-181-0x000000000E9A0000-0x000000000EA06000-memory.dmp
memory/5020-182-0x000000000FA80000-0x000000000FF7E000-memory.dmp
memory/5020-185-0x0000000073CA0000-0x000000007438E000-memory.dmp
memory/5020-186-0x00000000090D0000-0x00000000090E0000-memory.dmp
memory/5020-459-0x0000000010410000-0x00000000105D2000-memory.dmp
memory/5020-460-0x0000000011F60000-0x000000001248C000-memory.dmp
memory/5020-577-0x0000000073CA0000-0x000000007438E000-memory.dmp