Analysis Overview
SHA256
3a903150a230d5a6f08058cddedf503aa25076b489690a092b3ee46298cfd531
Threat Level: Known bad
The file 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
NanoCore
Drops startup file
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Unsigned PE
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-06 18:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-06 18:05
Reported
2024-05-06 18:08
Platform
win7-20240221-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
NanoCore
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\..url | C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 112 set thread context of 2420 | N/A | C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2665.tmp" "c:\Users\Admin\AppData\Local\Temp\1i033x1w\CSC677D710CA27C4C24A8AC3AA7EF177BF0.TMP"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /sc MINUTE /tn Intel /MO 1 /tr "C:\Users\Admin\AppData\Roaming\null\
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {DDD22CF5-D4E7-43A0-8ABB-9225C7372A25} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
Files
memory/112-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmp
memory/112-1-0x0000000000CA0000-0x0000000000CF4000-memory.dmp
memory/112-2-0x0000000074CD0000-0x00000000753BE000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.cmdline
| MD5 | b62b62d8c2cfabf7f7b97cbd0dbeb6ce |
| SHA1 | 84179fb86a0c94ebb345f62df97fe71fce25624f |
| SHA256 | 0e70c70e6de83eeaa875d7cb726095edc2671c050df658ec07f97acaa0ffacd5 |
| SHA512 | 1a012aa5a894ef4b002ce79c77ebd2b0853fdc10f2eaec8025bbbed7dd4c0aa41fdb8fba2375f8e39f690884cfd09f746fe956c01a4beac24583eac0bc6fd498 |
\??\c:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.0.cs
| MD5 | 21cd1b3e77c3f770205babc7a862c6ef |
| SHA1 | ee71e8ef404a95d7f77e2421d5892f349d0fc2be |
| SHA256 | 905250aa3670ddec5a3a4d3c2427190f973fe3c669b030884b5ef7da6339b075 |
| SHA512 | 806ce8d2162864331b29ebb1fe0bf814965db9077c537d5a0b9c13294c1edcba6e11c5f929824a3aef8680097e0322c09481f4aaa450cceee788591f6d2441b4 |
\??\c:\Users\Admin\AppData\Local\Temp\1i033x1w\CSC677D710CA27C4C24A8AC3AA7EF177BF0.TMP
| MD5 | b8a3b8f4f42256c7b24bcbfbbbd8465b |
| SHA1 | 64ecf56bfb45e8f6aa323155a10e8a3a72e9a087 |
| SHA256 | 34e1bbb560360bf5925db35dd6eaa742428738c9e72ed320237c4e8da8e86237 |
| SHA512 | 882c657de6b3cd04f9e45ae260820a6f9965d450203101953d4bb439f3a306e312bccec52bc7760c3d00a3022a828fbd05dcd8789e9169d0247cad5a990e596a |
C:\Users\Admin\AppData\Local\Temp\RES2665.tmp
| MD5 | f94dffec592d234baba7811193fc96ec |
| SHA1 | f034ffe0603e7dee7478121f7e57efdb360eea81 |
| SHA256 | 3362c95afa86e1ed2e81ad9fb1b07d50a9e36fa83e52565f59885f4c4223687e |
| SHA512 | 2b716aee6bd593925e6484093f43af0f837b48b0b54ce8cc7d04f51fa77d631639d409c46e4b3f023093783e5226e44ed324467979c05b605cff2bf14a06b74e |
C:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.dll
| MD5 | 1eb72ef87f3b3192a85d7baaf0bba5de |
| SHA1 | 224ac941518bce99fd86c1915ceea0811580b8e2 |
| SHA256 | e850b72396bd1d0a3e044179a0cf90036660cf1bdfa1b1aab189ba70cf0305c3 |
| SHA512 | 77c188baa0378318702ff03abd47c66561845ecc67f3902a0df68f5233a108e73d01aecc0cc4a9ad005e89773bddd1cc844780c99851370e1b9ebd1dbf00abc7 |
C:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.pdb
| MD5 | 17d7c39ee60c41a171399224f5fe875f |
| SHA1 | 236b90ec2dc254222d89e8637790cb14c619da20 |
| SHA256 | 82fbe1e585d1f1ada97935c76852caf4a641b995d02a69e1bbc471a6100f8fcb |
| SHA512 | 1578427a0a50d29b4bfbf1feeb9165e3c6aa5a792b43ba3d77851e2fdc69170b86aea88adc412c4e441740b57453571369365f0990d8e93ab50d916fd261d4a1 |
memory/112-17-0x00000000003E0000-0x00000000003E8000-memory.dmp
memory/112-19-0x0000000000C60000-0x0000000000CA4000-memory.dmp
memory/112-20-0x0000000000470000-0x000000000047C000-memory.dmp
memory/112-23-0x0000000004140000-0x0000000004178000-memory.dmp
memory/2420-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2420-26-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2420-33-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2420-35-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2420-34-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2420-30-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2420-29-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2420-24-0x0000000000400000-0x0000000000438000-memory.dmp
memory/112-36-0x0000000074CD0000-0x00000000753BE000-memory.dmp
memory/2420-38-0x0000000000580000-0x000000000058A000-memory.dmp
memory/2420-39-0x0000000000590000-0x00000000005AE000-memory.dmp
memory/2420-40-0x00000000005F0000-0x00000000005FA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-06 18:05
Reported
2024-05-06 18:08
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
158s
Command Line
Signatures
NanoCore
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\..url | C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 628 set thread context of 4492 | N/A | C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\54ixrtip\54ixrtip.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES290F.tmp" "c:\Users\Admin\AppData\Local\Temp\54ixrtip\CSCC25CA9D1F3F441AC9AD181B36290FD66.TMP"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /sc MINUTE /tn Intel /MO 1 /tr "C:\Users\Admin\AppData\Roaming\null\
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | 48.28.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.8.8:53 | smithhk.ddns.net | udp |
| US | 8.8.4.4:53 | smithhk.ddns.net | udp |
Files
memory/628-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp
memory/628-1-0x0000000000BD0000-0x0000000000C24000-memory.dmp
memory/628-2-0x0000000074E40000-0x00000000755F0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\54ixrtip\54ixrtip.cmdline
| MD5 | 240bcd6db79f7db6ac9891b70eb30026 |
| SHA1 | 8403e423f081d191ca18046861c4ed7061293ade |
| SHA256 | e8846aee42600e74dd7c5b9c2bcaf043ab23f6c87cca26def3d0313d8a746b57 |
| SHA512 | 8fd8558863998457a95bcc9c1c8e37f387140767d01c60002b8beb3dcfe788090477581a1dc122191e1771355dd85877be8b3ad59525bfd94b80ce8383ab9372 |
\??\c:\Users\Admin\AppData\Local\Temp\54ixrtip\54ixrtip.0.cs
| MD5 | 21cd1b3e77c3f770205babc7a862c6ef |
| SHA1 | ee71e8ef404a95d7f77e2421d5892f349d0fc2be |
| SHA256 | 905250aa3670ddec5a3a4d3c2427190f973fe3c669b030884b5ef7da6339b075 |
| SHA512 | 806ce8d2162864331b29ebb1fe0bf814965db9077c537d5a0b9c13294c1edcba6e11c5f929824a3aef8680097e0322c09481f4aaa450cceee788591f6d2441b4 |
\??\c:\Users\Admin\AppData\Local\Temp\54ixrtip\CSCC25CA9D1F3F441AC9AD181B36290FD66.TMP
| MD5 | 2492da72482474621a04af0a01f39e44 |
| SHA1 | 184df1e2d2b5560f4e5ac97d02ac6bf75511b063 |
| SHA256 | ac69b4814ed40e12df850eb5365cf57bde36bee697e83d79d15b5e8e875eba8c |
| SHA512 | f060584e7ee2b7c804d7eda4a617cda17a9dcac9d802f750a975575da25eefdcc2379dd36f741859f8d3901906eace3d7b95731f6739d60cfc022f756667a192 |
C:\Users\Admin\AppData\Local\Temp\RES290F.tmp
| MD5 | c5288916b2564c30e65653d4b70a5d38 |
| SHA1 | 92c3997c9979f9f85970c35d741565f7591d330c |
| SHA256 | 9e03dc6749b8b3214b8426bb153d32db38a070f811d716ec9f24c7cf8acda2df |
| SHA512 | e4c0ccf3d99b9d141bbca3ca3e7de117f0f0017cbb0da601c5c528103c87f771532a51ff4ba92495a85aa9f858adfa33c1b73c29ca95a527dd3338f2d40fe377 |
C:\Users\Admin\AppData\Local\Temp\54ixrtip\54ixrtip.dll
| MD5 | 85229e27e4b3fab088930f108dee0a97 |
| SHA1 | b8bd04715614076ae9881e403864e95a04c6a350 |
| SHA256 | 0fa75a10cb206bec76b7fbf6c5bb058d643086768c8808ed2ee2501809662d95 |
| SHA512 | 3fb23233f03d58e8f57a4e4e88dc902b3e6819daec29fd3129cf5166c3e09f12f05ae9ef0c9526e73d7deb8b8e25dc9459e6d296e0fce2d38b4d27f3036e8ba9 |
C:\Users\Admin\AppData\Local\Temp\54ixrtip\54ixrtip.pdb
| MD5 | acb3320a18588650826bc64aa4d529fa |
| SHA1 | d56b49ebd99b2b020ce3845e668998bcc35353d5 |
| SHA256 | 0435f405dd9d300539610b90b46234cc9458e079ecdf16b159ed6b3a1aca5e36 |
| SHA512 | 2873d206c605f0a5339bd83da02b9b07dcf3526eae388f1eb6b890584f95c2e9550763da17da11e7f6aeca602c4697ea0a2fff972c9c19ff901714bd7b0be86a |
memory/628-17-0x0000000002FC0000-0x0000000002FC8000-memory.dmp
memory/628-19-0x0000000005B10000-0x0000000005BA2000-memory.dmp
memory/628-20-0x0000000006020000-0x0000000006064000-memory.dmp
memory/628-21-0x0000000002F60000-0x0000000002F6C000-memory.dmp
memory/628-24-0x0000000005540000-0x0000000005578000-memory.dmp
memory/628-25-0x0000000006060000-0x00000000060FC000-memory.dmp
memory/4492-26-0x0000000000400000-0x0000000000438000-memory.dmp
memory/628-28-0x0000000074E40000-0x00000000755F0000-memory.dmp
memory/4492-29-0x00000000056D0000-0x0000000005C74000-memory.dmp
memory/4492-30-0x0000000005120000-0x000000000512A000-memory.dmp
memory/4492-32-0x00000000051A0000-0x00000000051AA000-memory.dmp
memory/4492-33-0x0000000005310000-0x000000000532E000-memory.dmp
memory/4492-34-0x00000000056B0000-0x00000000056BA000-memory.dmp