Malware Analysis Report

2025-01-18 01:08

Sample ID 240613-g9knmaxdra
Target a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118
SHA256 95961b8f5d59930b6e867f09c19e0b18a06445ce4d1bb8359d59ffbf0d01021c
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

95961b8f5d59930b6e867f09c19e0b18a06445ce4d1bb8359d59ffbf0d01021c

Threat Level: Shows suspicious behavior

The file a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 06:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 06:30

Reported

2024-06-13 06:32

Platform

win7-20240611-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\54rk = "C:\\Windows\\SysWOW64\\updatede5a1.exe" C:\Windows\SysWOW64\updatede5a1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\cfghw.tmp C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\updatede5a1.exe C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\cfghw.tmp C:\Windows\SysWOW64\updatede5a1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede5a1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe"

C:\Windows\SysWOW64\updatede5a1.exe

C:\Windows\system32\updatede5a1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ok3.caonmb.com udp
US 8.8.8.8:53 www.ip138.com udp
CN 115.230.126.175:6623 tcp
GB 163.171.146.42:80 www.ip138.com tcp
US 8.8.8.8:53 top.ip138.com udp
GB 138.113.149.152:80 top.ip138.com tcp
US 8.8.8.8:53 gege.zgpmsj.com udp
CN 115.230.126.175:6623 tcp
CN 115.230.126.175:6623 tcp
US 8.8.8.8:53 www.ipshudi.com udp
GB 174.35.118.62:443 www.ipshudi.com tcp
CN 115.230.126.175:6623 tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
CN 115.230.126.175:6623 tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
CN 115.230.126.175:6623 tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
CN 115.230.126.175:6623 tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 www.ipshudi.com tcp
GB 174.35.118.62:443 tcp

Files

memory/2980-0-0x0000000000400000-0x0000000000411000-memory.dmp

\Windows\SysWOW64\updatede5a1.exe

MD5 cdc555406c7ceacc5782eec02d44bb5a
SHA1 297908f62efb34be6b24c3cb2982149d76e5ce69
SHA256 293e7051a6160af58189b1128799edae1578ae9b9ae842e35b640179d9061a0e
SHA512 10617c7089301f9548880f7be0f47124457cf5c6ab0c647a812e9055b8469abb40c5b559e055fc5076ebe795f216a5f7879354954435f720a57d06b849d69b79

memory/2980-7-0x0000000000280000-0x0000000000290000-memory.dmp

memory/2908-11-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2908-16-0x0000000000020000-0x0000000000030000-memory.dmp

memory/2908-17-0x0000000000020000-0x0000000000030000-memory.dmp

memory/2908-18-0x000000000040E000-0x000000000040F000-memory.dmp

C:\Windows\SysWOW64\cfghw.tmp

MD5 fed513e713a3a892ff3daf9235fb67bd
SHA1 e6a48e3a676cc24160e76c1292151ced7c545110
SHA256 131d6c04a3295c49b694aace549c433dfe0610e376c54c1c43267e9ed47317b1
SHA512 c1dfae49d5a90a265f798345518704eeda7f7ecff6d11bdad5f3fcd96568ec9c7ab7ed15f282f6a5ad04b57022d489572bd0fa551517f8a5af9d0d658fedc6cd

C:\Windows\SysWOW64\cfghw.tmp

MD5 d7f3754acb5258c754d6407d2924bde3
SHA1 b1c195764ba742688ac62bdc18168e7dc5f99deb
SHA256 aba6b251b738d6b1f2f85917fa15808d0018ccb9e613da3d1f30965844e5777e
SHA512 f8390eb5add5727f8cd683332284ba3040a387939ab75ccab472e07701b0117005825f352ee0f34b5aba33f1ce8ae2702db9c5946caf2faf826a399f0ef38a94

memory/2908-71-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2908-107-0x0000000000020000-0x0000000000030000-memory.dmp

memory/2908-108-0x0000000000020000-0x0000000000030000-memory.dmp

memory/2908-122-0x0000000000020000-0x0000000000030000-memory.dmp

memory/2908-134-0x000000000040E000-0x000000000040F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab68A4.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar68E6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0818D6C839FFFA99AF7D6971537495F

MD5 1a850f8a60f2acb4faa21bf963e4499c
SHA1 dec298f4661edd18b8224abfcacade1eac603903
SHA256 1ba28c875efe3ed49f908522ade611dcda180d0878c34d0d121c4b511bc1eeee
SHA512 193957bd18b5e21fbec737b64c1e80eb84b4c242ecaad4813e221895c9ef31b07246dbc3e75f68d4c538018f7598fa2cd31463c6207f792bb0671bc8d8e4159b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0818D6C839FFFA99AF7D6971537495F

MD5 4fdd07e4d42264391e0c3742ead1c6ae
SHA1 8094640eb5a7a1ca119c1fddd59f810263a7fbd1
SHA256 2cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69
SHA512 626261dcc0001d3bf73f9bd041067c78cbd19337c9dfcb2fb0854f24015efa662a7441dc5389de7c1ca4f464b44bf99b6df710661a9a8902ad907ee231dba74a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 06:30

Reported

2024-06-13 06:32

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\54rk = "C:\\Windows\\SysWOW64\\updatede303.exe" C:\Windows\SysWOW64\updatede303.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\cfghw.tmp C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\updatede303.exe C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\cfghw.tmp C:\Windows\SysWOW64\updatede303.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A
N/A N/A C:\Windows\SysWOW64\updatede303.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0_JaffaCakes118.exe"

C:\Windows\SysWOW64\updatede303.exe

C:\Windows\system32\updatede303.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ok3.caonmb.com udp
US 8.8.8.8:53 www.ip138.com udp
CN 115.230.126.175:6623 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gege.zgpmsj.com udp
US 8.8.8.8:53 www.ip138.com udp
CN 115.230.126.175:6623 tcp
US 8.8.8.8:53 www.ip138.com udp
US 8.8.8.8:53 www.ip138.com udp
CN 115.230.126.175:6623 tcp
US 8.8.8.8:53 www.ip138.com udp
US 8.8.8.8:53 www.ip138.com udp
CN 115.230.126.175:6623 tcp
US 8.8.8.8:53 www.ip138.com udp
US 8.8.8.8:53 gege.zgpmsj.com udp
US 8.8.8.8:53 www.ip138.com udp
CN 115.230.126.175:6623 tcp
US 8.8.8.8:53 www.ip138.com udp
US 8.8.8.8:53 www.ip138.com udp
CN 115.230.126.175:6623 tcp
US 8.8.8.8:53 www.ip138.com udp
US 8.8.8.8:53 www.ip138.com udp

Files

memory/4676-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\updatede303.exe

MD5 cdc555406c7ceacc5782eec02d44bb5a
SHA1 297908f62efb34be6b24c3cb2982149d76e5ce69
SHA256 293e7051a6160af58189b1128799edae1578ae9b9ae842e35b640179d9061a0e
SHA512 10617c7089301f9548880f7be0f47124457cf5c6ab0c647a812e9055b8469abb40c5b559e055fc5076ebe795f216a5f7879354954435f720a57d06b849d69b79

memory/4012-9-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\SysWOW64\cfghw.tmp

MD5 fed513e713a3a892ff3daf9235fb67bd
SHA1 e6a48e3a676cc24160e76c1292151ced7c545110
SHA256 131d6c04a3295c49b694aace549c433dfe0610e376c54c1c43267e9ed47317b1
SHA512 c1dfae49d5a90a265f798345518704eeda7f7ecff6d11bdad5f3fcd96568ec9c7ab7ed15f282f6a5ad04b57022d489572bd0fa551517f8a5af9d0d658fedc6cd

memory/4012-11-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\SysWOW64\cfghw.tmp

MD5 d7f3754acb5258c754d6407d2924bde3
SHA1 b1c195764ba742688ac62bdc18168e7dc5f99deb
SHA256 aba6b251b738d6b1f2f85917fa15808d0018ccb9e613da3d1f30965844e5777e
SHA512 f8390eb5add5727f8cd683332284ba3040a387939ab75ccab472e07701b0117005825f352ee0f34b5aba33f1ce8ae2702db9c5946caf2faf826a399f0ef38a94

memory/4012-62-0x0000000000400000-0x0000000000410000-memory.dmp