Malware Analysis Report

2025-06-16 06:21

Sample ID 231204-vn3h7sdd94
Target 340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df
SHA256 340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df

Threat Level: Known bad

The file 340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-04 17:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-04 17:08

Reported

2023-12-04 17:11

Platform

win7-20231020-en

Max time kernel

122s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsvc.exe" C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\UDP Service\udpsvc.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe N/A
File opened for modification C:\Program Files (x86)\UDP Service\udpsvc.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1700 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1700 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1700 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1700 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1700 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1700 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1700 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1700 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 2100 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Windows\SysWOW64\schtasks.exe
PID 2100 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Windows\SysWOW64\schtasks.exe
PID 2100 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Windows\SysWOW64\schtasks.exe
PID 2100 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Windows\SysWOW64\schtasks.exe
PID 2100 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Windows\SysWOW64\schtasks.exe
PID 2100 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Windows\SysWOW64\schtasks.exe
PID 2100 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Windows\SysWOW64\schtasks.exe
PID 2100 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe

"C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe"

C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe

"C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "UDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAD9D.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "UDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAEB7.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 btldinc7.sytes.net udp
BG 91.92.251.203:4510 btldinc7.sytes.net tcp

Files

memory/1700-0-0x0000000000A90000-0x0000000000B2A000-memory.dmp

memory/1700-1-0x0000000074500000-0x0000000074BEE000-memory.dmp

memory/1700-2-0x0000000004980000-0x00000000049C0000-memory.dmp

memory/1700-3-0x00000000003F0000-0x0000000000408000-memory.dmp

memory/1700-5-0x0000000000540000-0x000000000054A000-memory.dmp

memory/1700-6-0x0000000004980000-0x00000000049C0000-memory.dmp

memory/1700-4-0x00000000004B0000-0x00000000004B8000-memory.dmp

memory/1700-7-0x0000000004750000-0x00000000047C2000-memory.dmp

memory/2100-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1700-21-0x0000000074500000-0x0000000074BEE000-memory.dmp

memory/2100-22-0x0000000074500000-0x0000000074BEE000-memory.dmp

memory/2100-23-0x0000000000440000-0x0000000000480000-memory.dmp

memory/2100-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2100-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2100-16-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2100-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2100-12-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAD9D.tmp

MD5 03f5b9ec9db6068a5562292b3012ed49
SHA1 304033e8fde3f437b9a0a2c60671574f042e8799
SHA256 8422cf40de0753ca59d6a62f065b5b53b48602577db47da313ae28f6c783f37d
SHA512 c0fc6adfe0a354677d1e5d91b466b3a6dbd2d912deb49a0707bc9d41e3915953701877a20a8a9da3a0655eec57ee98a5430817ec51af706706232cda543b13f0

memory/2100-10-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2100-8-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAEB7.tmp

MD5 1b87aeb30b82c980d66a27dcaf6b6b3c
SHA1 ca5cc8e61a39be38ebe6b295b1b39b012808222e
SHA256 bd1b0eab0a2e61816941ca6060e9c63a10184038c8e7b67ef1fbb4bd533481c6
SHA512 7c0f8744fe569c358d1941acca93079f3d8fb5fa60b6499642659e83da5666200e13b2db728675d5b75c6cfb63f2c88eab7792036ae6ab0dca1913d25c6cfe7f

memory/2100-31-0x00000000004A0000-0x00000000004AA000-memory.dmp

memory/2100-32-0x00000000004F0000-0x000000000050E000-memory.dmp

memory/2100-33-0x0000000000510000-0x000000000051A000-memory.dmp

memory/2100-37-0x00000000005D0000-0x00000000005EA000-memory.dmp

memory/2100-40-0x0000000000670000-0x000000000067E000-memory.dmp

memory/2100-46-0x0000000002150000-0x000000000217E000-memory.dmp

memory/2100-47-0x0000000002180000-0x0000000002194000-memory.dmp

memory/2100-45-0x0000000000A80000-0x0000000000A8E000-memory.dmp

memory/2100-44-0x0000000000A70000-0x0000000000A84000-memory.dmp

memory/2100-43-0x0000000000A60000-0x0000000000A70000-memory.dmp

memory/2100-42-0x0000000000A50000-0x0000000000A64000-memory.dmp

memory/2100-41-0x0000000000A40000-0x0000000000A4C000-memory.dmp

memory/2100-39-0x0000000000660000-0x0000000000672000-memory.dmp

memory/2100-38-0x0000000000640000-0x000000000064E000-memory.dmp

memory/2100-36-0x00000000005C0000-0x00000000005D2000-memory.dmp

memory/2100-49-0x0000000074500000-0x0000000074BEE000-memory.dmp

memory/2100-50-0x0000000000440000-0x0000000000480000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-04 17:08

Reported

2023-12-04 17:11

Platform

win10v2004-20231127-en

Max time kernel

91s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Manager = "C:\\Program Files (x86)\\DHCP Manager\\dhcpmgr.exe" C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Manager\dhcpmgr.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Manager\dhcpmgr.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1520 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1520 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1520 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1520 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1520 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1520 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1520 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1520 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1520 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1520 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 1520 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe
PID 2168 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Windows\SysWOW64\schtasks.exe
PID 2168 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Windows\SysWOW64\schtasks.exe
PID 2168 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Windows\SysWOW64\schtasks.exe
PID 2168 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Windows\SysWOW64\schtasks.exe
PID 2168 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Windows\SysWOW64\schtasks.exe
PID 2168 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe

"C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe"

C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe

"C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe"

C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe

"C:\Users\Admin\AppData\Local\Temp\340afda65e77e299379392aa25dd7dd040d1a87e51f2249547d083a1d85641df.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC61A.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC7A1.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 80.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 btldinc7.sytes.net udp
BG 91.92.251.203:4510 btldinc7.sytes.net tcp
US 8.8.8.8:53 203.251.92.91.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 81.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/1520-0-0x0000000074420000-0x0000000074BD0000-memory.dmp

memory/1520-1-0x00000000001C0000-0x000000000025A000-memory.dmp

memory/1520-2-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/1520-3-0x0000000005310000-0x00000000058B4000-memory.dmp

memory/1520-4-0x0000000004E10000-0x0000000004EA2000-memory.dmp

memory/1520-6-0x0000000004F40000-0x0000000004F58000-memory.dmp

memory/1520-5-0x0000000004F10000-0x0000000004F1A000-memory.dmp

memory/1520-7-0x0000000074420000-0x0000000074BD0000-memory.dmp

memory/1520-8-0x0000000004F70000-0x0000000004F78000-memory.dmp

memory/1520-9-0x0000000004F80000-0x0000000004F8A000-memory.dmp

memory/1520-10-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/1520-11-0x0000000006220000-0x0000000006292000-memory.dmp

memory/1520-12-0x0000000006060000-0x00000000060FC000-memory.dmp

memory/2168-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1520-14-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/2168-16-0x0000000074420000-0x0000000074BD0000-memory.dmp

memory/2168-17-0x0000000005C60000-0x0000000005C70000-memory.dmp

memory/1520-18-0x0000000074420000-0x0000000074BD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC61A.tmp

MD5 03f5b9ec9db6068a5562292b3012ed49
SHA1 304033e8fde3f437b9a0a2c60671574f042e8799
SHA256 8422cf40de0753ca59d6a62f065b5b53b48602577db47da313ae28f6c783f37d
SHA512 c0fc6adfe0a354677d1e5d91b466b3a6dbd2d912deb49a0707bc9d41e3915953701877a20a8a9da3a0655eec57ee98a5430817ec51af706706232cda543b13f0

C:\Users\Admin\AppData\Local\Temp\tmpC7A1.tmp

MD5 cdf5683344404764a0f3592e9db8a5a1
SHA1 6705943b404de237cdd7080c05af25e2b1b6410c
SHA256 1ea0af7c86be3e61c281ada0470c6dcf178834380def1903b5bb78b49440ffff
SHA512 23c56873ca8520784cc1d6b0b4211b373fff6fb429872932e5274801d3b9d786566877cd16d1ffa0adca8c7aebb0b935701a0c071073edfbdb319002f99a182b

memory/2168-26-0x0000000005A80000-0x0000000005A8A000-memory.dmp

memory/2168-27-0x0000000006A80000-0x0000000006A9E000-memory.dmp

memory/2168-28-0x0000000006BA0000-0x0000000006BAA000-memory.dmp

memory/2168-31-0x0000000007300000-0x0000000007312000-memory.dmp

memory/2168-33-0x0000000007340000-0x000000000734E000-memory.dmp

memory/2168-39-0x00000000073B0000-0x00000000073C4000-memory.dmp

memory/2168-42-0x0000000007410000-0x0000000007424000-memory.dmp

memory/2168-41-0x00000000073E0000-0x000000000740E000-memory.dmp

memory/2168-40-0x00000000073D0000-0x00000000073DE000-memory.dmp

memory/2168-38-0x0000000007390000-0x00000000073A0000-memory.dmp

memory/2168-37-0x0000000007380000-0x0000000007394000-memory.dmp

memory/2168-36-0x0000000007370000-0x000000000737C000-memory.dmp

memory/2168-43-0x00000000075F0000-0x0000000007656000-memory.dmp

memory/2168-35-0x0000000007360000-0x000000000736E000-memory.dmp

memory/2168-34-0x0000000007350000-0x0000000007362000-memory.dmp

memory/2168-32-0x0000000007310000-0x000000000732A000-memory.dmp

memory/2168-45-0x0000000074420000-0x0000000074BD0000-memory.dmp

memory/2168-46-0x0000000005C60000-0x0000000005C70000-memory.dmp