Analysis Overview
SHA256
220d8c63d04f7aced4725061fc6c05187b6359eff21fef78286a9c099d41055e
Threat Level: Known bad
The file f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Drops file in Drivers directory
Sets service image path in registry
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Enumerates connected drives
Modifies WinLogon
Installs/modifies Browser Helper Object
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 10:04
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 10:04
Reported
2024-04-15 10:07
Platform
win7-20240221-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ftpdll.dll | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ftpdll.dll | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fewfwe.com | udp |
| US | 3.94.41.167:80 | fewfwe.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
| US | 3.94.41.167:80 | fewfwe.com | tcp |
| US | 104.26.7.37:443 | www.hugedomains.com | tcp |
Files
memory/1864-0-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2584-1-0x0000000000400000-0x0000000000426000-memory.dmp
C:\Users\Admin\AppData\Local\cftmon.exe
| MD5 | c98cb3a2873f69beb64ec090e2b3416a |
| SHA1 | 60ccb4e7f363cc36ff157cfe0ab86bcb1ba99465 |
| SHA256 | 368d4956a24ca55f0a0ba4ae631e2b92310d75deda254d1d7374b35fa9f9e09c |
| SHA512 | a67b5dc5da17ff4cde15389a9c64e047b403d49700237adebe214cca8eccadb62fc5181f5de9a46eb5f43f984a6124e1316907d2bd49d16007d07a4218c97935 |
memory/1864-12-0x0000000010000000-0x000000001010B000-memory.dmp
\Windows\SysWOW64\ftpdll.dll
| MD5 | d807aa04480d1d149f7a4cac22984188 |
| SHA1 | ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9 |
| SHA256 | eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb |
| SHA512 | 875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e |
memory/1864-14-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1864-13-0x0000000010000000-0x000000001010B000-memory.dmp
memory/2812-16-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2584-15-0x00000000003D0000-0x00000000003F6000-memory.dmp
memory/3024-17-0x0000000000380000-0x00000000003A6000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 524aec5d6740cc538d4318e1497ee1fa |
| SHA1 | f66c7ccae1c728b8483f744f3462d88faf24342c |
| SHA256 | facbaef5e9c5175de03df5cdd6d1c0d54486da85ab248ddd82bff9dd883eac0b |
| SHA512 | 28edd2fd067abe4f0d55b2fff037796fe263e196dfecb68375cb9e4758babe3eb5a85e52c4f64e2da6daf34e2e5908f31693bd13e230324c8cd19899b43003ae |
memory/2560-26-0x0000000010000000-0x000000001010B000-memory.dmp
memory/2560-27-0x0000000010000000-0x000000001010B000-memory.dmp
memory/2560-28-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2584-29-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3024-30-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2584-31-0x00000000003D0000-0x00000000003F6000-memory.dmp
memory/2812-32-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3024-33-0x0000000000380000-0x00000000003A6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-15 10:04
Reported
2024-04-15 10:07
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ftpdll.dll | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f0cc48e489e7bd14726d1602ac35239b_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fewfwe.com | udp |
| US | 34.205.242.146:80 | fewfwe.com | tcp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 172.67.70.191:443 | www.hugedomains.com | tcp |
| US | 8.8.8.8:53 | fewfwe.net | udp |
| US | 8.8.8.8:53 | 146.242.205.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.70.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/2196-0-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2932-1-0x0000000000400000-0x0000000000426000-memory.dmp
C:\Users\Admin\AppData\Local\cftmon.exe
| MD5 | 08aed651d5bed7f3687feea0e81cf44b |
| SHA1 | 8e2bda296380af48b1b5daad8ea896e04dcd949a |
| SHA256 | 5b6cedffa9218fd6a6eb6a23957931e27daad2bc4331574b35e602231fa168f2 |
| SHA512 | d9a14be1afdd1ba3d1381f2620cc2f9b8c3f6229f75b1850cb2fbd3d452a22f943ba5192c6232a08b448c7722146b5cb02449d0446c0eb1217e38ef3a4751c95 |
C:\Windows\SysWOW64\ftpdll.dll
| MD5 | d807aa04480d1d149f7a4cac22984188 |
| SHA1 | ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9 |
| SHA256 | eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb |
| SHA512 | 875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e |
memory/2196-19-0x0000000010000000-0x000000001010B000-memory.dmp
memory/2196-20-0x0000000010000000-0x000000001010B000-memory.dmp
memory/2196-21-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2932-23-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3368-24-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1700-25-0x0000000000400000-0x0000000000426000-memory.dmp