Malware Analysis Report

2024-10-19 07:12

Sample ID 240505-jx2sgsbg9v
Target https://mega.nz/file/jqxVWIQT#EcaGfUbysreSEyuzDiIu9RNSIk7rIGYTYiGugzjLoqE
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://mega.nz/file/jqxVWIQT#EcaGfUbysreSEyuzDiIu9RNSIk7rIGYTYiGugzjLoqE was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Modifies Installed Components in the registry

Adds Run key to start application

Drops file in Program Files directory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-05 08:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-05 08:03

Reported

2024-05-05 08:06

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/jqxVWIQT#EcaGfUbysreSEyuzDiIu9RNSIk7rIGYTYiGugzjLoqE

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files\\SMTP Subsystem\\smtpss.exe" C:\Users\Admin\Downloads\godhuntermode.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\SMTP Subsystem\smtpss.exe C:\Users\Admin\Downloads\godhuntermode.exe N/A
File opened for modification C:\Program Files\SMTP Subsystem\smtpss.exe C:\Users\Admin\Downloads\godhuntermode.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{A7877BB6-314B-4D92-9A8D-6CD919E6050E} C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A
N/A N/A C:\Users\Admin\Downloads\godhuntermode.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1128 wrote to memory of 1780 N/A C:\Users\Admin\Downloads\godhuntermode.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1128 wrote to memory of 1780 N/A C:\Users\Admin\Downloads\godhuntermode.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1128 wrote to memory of 4956 N/A C:\Users\Admin\Downloads\godhuntermode.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1128 wrote to memory of 4956 N/A C:\Users\Admin\Downloads\godhuntermode.exe C:\Windows\SYSTEM32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/jqxVWIQT#EcaGfUbysreSEyuzDiIu9RNSIk7rIGYTYiGugzjLoqE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4816 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4892 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4732 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=1328 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3780 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=4904 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5236 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x504 0x304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6236 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6212 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6552 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6792 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6976 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\Downloads\godhuntermode.exe

"C:\Users\Admin\Downloads\godhuntermode.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDE45.tmp"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDF11.tmp"

C:\Windows\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=5812 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
LU 31.216.145.5:443 mega.nz tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
NL 96.16.53.162:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 5.145.216.31.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 162.53.16.96.in-addr.arpa udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 eu.static.mega.co.nz udp
US 8.8.8.8:53 eu.static.mega.co.nz udp
LU 89.44.169.132:443 eu.static.mega.co.nz tcp
LU 89.44.169.132:443 eu.static.mega.co.nz tcp
NL 23.62.61.153:443 www.bing.com tcp
US 8.8.8.8:53 g.api.mega.co.nz udp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.13:443 g.api.mega.co.nz tcp
LU 66.203.125.13:443 g.api.mega.co.nz tcp
US 8.8.8.8:53 132.169.44.89.in-addr.arpa udp
US 8.8.8.8:53 153.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.189.173.22:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 22.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 postnav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 postnav-edge.smartscreen.microsoft.com udp
LU 89.44.169.132:443 eu.static.mega.co.nz tcp
US 8.8.8.8:53 xpaycdn.azureedge.net udp
US 8.8.8.8:53 xpaycdn.azureedge.net udp
US 13.107.246.64:443 xpaycdn.azureedge.net tcp
US 13.107.246.64:443 xpaycdn.azureedge.net tcp
N/A 127.0.0.1:6341 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:6341 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 gfs270n070.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs270n070.userstorage.mega.co.nz udp
LU 31.216.148.27:443 gfs270n070.userstorage.mega.co.nz tcp
LU 31.216.148.27:443 gfs270n070.userstorage.mega.co.nz tcp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 27.148.216.31.in-addr.arpa udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
GB 13.87.96.169:443 app-edge.smartscreen.microsoft.com tcp
NL 23.62.61.153:443 www.bing.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 mega.nz udp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 5.144.216.31.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 july-pty.at.ply.gg udp
DE 209.25.141.212:32243 july-pty.at.ply.gg tcp
US 8.8.8.8:53 212.141.25.209.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 pornhub.com udp
US 66.254.114.41:80 pornhub.com tcp
US 66.254.114.41:443 pornhub.com tcp
US 8.8.8.8:53 www.pornhub.com udp
US 66.254.114.41:443 www.pornhub.com tcp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 ei.phncdn.com udp
US 8.8.8.8:53 static.trafficjunky.com udp
US 8.8.8.8:53 cdn1-smallimg.phncdn.com udp
US 8.8.8.8:53 media.trafficjunky.net udp
US 66.254.114.156:443 cdn1-smallimg.phncdn.com tcp
GB 64.210.156.20:443 media.trafficjunky.net tcp
GB 64.210.156.22:443 media.trafficjunky.net tcp
GB 64.210.156.22:443 media.trafficjunky.net tcp
GB 64.210.156.19:443 media.trafficjunky.net tcp
US 66.254.114.41:443 www.pornhub.com tcp
GB 64.210.156.20:443 media.trafficjunky.net tcp
US 8.8.8.8:53 156.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 22.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 19.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 20.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

memory/1128-0-0x00007FF8A1115000-0x00007FF8A1116000-memory.dmp

memory/1128-1-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp

memory/1128-2-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp

memory/1128-3-0x000000001BAA0000-0x000000001BF6E000-memory.dmp

memory/1128-4-0x000000001BF70000-0x000000001C00C000-memory.dmp

memory/1128-5-0x000000001C1C0000-0x000000001C266000-memory.dmp

memory/1128-6-0x0000000000E40000-0x0000000000E48000-memory.dmp

memory/1128-7-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDE45.tmp

MD5 27c110eeac8b064d06586616a32e5ccd
SHA1 c02635e49bb1bbc6a2966e0b7952fff0892d3cf1
SHA256 21ad204215b4be0d8900c4f8d19a58fc245db473b3d15101212899b8364d2294
SHA512 a6928600c976c1ccacfb98c80dd5479f40768100d638babd36da0efd1c34d4dbb7ca555b59d25a8713ad38cffbe7e4ead1c6731820286502a4c986cd93b15c7a

C:\Users\Admin\AppData\Local\Temp\tmpDF11.tmp

MD5 f4819a1db9e68dc60cf594a7262a3f4c
SHA1 105f1392b72f117e378e502436eafadac5d6eb95
SHA256 9648afd55d1ee72983b04b574bb1fa870549d3db91dafdd7a15e253858090f2a
SHA512 18a71e6ecd89ee2f8cb9d55abc0507acfddacc18c6fff9bbd2e891cf4b3dacad8e2a2bc5a76071d6539ab23b905b8e0e313806152795b9b3a20882d90f6cfa2a

memory/1128-15-0x000000001CAD0000-0x000000001CADA000-memory.dmp

memory/1128-16-0x000000001CA50000-0x000000001CA6E000-memory.dmp

memory/1128-17-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp

memory/1128-18-0x000000001B5A0000-0x000000001B5AA000-memory.dmp

memory/1128-19-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp

memory/1128-20-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp

memory/1128-21-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp

memory/1128-24-0x0000000000E30000-0x0000000000E42000-memory.dmp

memory/1128-25-0x000000001CD60000-0x000000001CD7A000-memory.dmp

memory/1128-26-0x000000001B590000-0x000000001B59E000-memory.dmp

memory/1128-29-0x000000001DAA0000-0x000000001DAAE000-memory.dmp

memory/1128-30-0x000000001DAB0000-0x000000001DAC4000-memory.dmp

memory/1128-28-0x000000001DA90000-0x000000001DA9C000-memory.dmp

memory/1128-27-0x000000001DA80000-0x000000001DA92000-memory.dmp

memory/1128-31-0x0000000000E60000-0x0000000000E70000-memory.dmp

memory/1128-32-0x00000000010D0000-0x00000000010E4000-memory.dmp

memory/1128-33-0x000000001B580000-0x000000001B58E000-memory.dmp

memory/1128-34-0x000000001DAC0000-0x000000001DAEE000-memory.dmp

memory/1128-35-0x000000001CEC0000-0x000000001CED4000-memory.dmp

memory/1128-36-0x000000001DBC0000-0x000000001DC22000-memory.dmp

memory/1128-38-0x00007FF8A1115000-0x00007FF8A1116000-memory.dmp

memory/1128-39-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp

memory/1128-40-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp

memory/1128-41-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp

memory/1128-42-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp

memory/1128-43-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp

memory/1128-44-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp

memory/1128-45-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp

memory/1128-46-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp

memory/1128-57-0x000000001EFE0000-0x000000001F737000-memory.dmp

memory/1128-70-0x0000000022150000-0x00000000228F6000-memory.dmp

memory/1128-213-0x000000001EFE0000-0x000000001F737000-memory.dmp

memory/1128-215-0x00007FF8A0E60000-0x00007FF8A1801000-memory.dmp