Analysis Overview
SHA256
5677454eb78a84614f74908647124a2694f72a39c557b5c51a48cdafff4a224f
Threat Level: Likely malicious
The file a8f5fb2f8f9d470d839a66f97fac8993_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Drops file in Drivers directory
Identifies Wine through registry keys
Checks BIOS information in registry
Writes to the Master Boot Record (MBR)
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 09:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 09:26
Reported
2024-06-14 09:28
Platform
win7-20240221-en
Max time kernel
144s
Max time network
118s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe"
Network
Files
memory/2168-0-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/2168-1-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/2168-5-0x0000000000400000-0x0000000000DCD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Save\default\setting.ini
| MD5 | 63933b827725bd9e451297552f1c3098 |
| SHA1 | 814995b11ca52023ad74365ac3c9aa2c3d5ddc43 |
| SHA256 | 764db806f9822a960b6a6434041a931506ba2b764f7a19943c3263c54382e419 |
| SHA512 | e4aa379bb4e56796403316158a55a5d8f033b62bdfc7223ef9b27ddced207c59e179d538328e17eff7ffdccfb066dabcd63d69bf6ac588a83383afbf478ca2d1 |
memory/2168-8-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/2168-13-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/2168-18-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/2168-21-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/2168-26-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/2168-31-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/2168-34-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/2168-39-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/2168-42-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/2168-47-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/2168-50-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/2168-55-0x0000000000400000-0x0000000000DCD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 09:26
Reported
2024-06-14 09:28
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
54s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\[RHX]-GameLauncher.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4472-0-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/4472-1-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/4472-5-0x0000000000400000-0x0000000000DCD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Save\default\setting.ini
| MD5 | 63933b827725bd9e451297552f1c3098 |
| SHA1 | 814995b11ca52023ad74365ac3c9aa2c3d5ddc43 |
| SHA256 | 764db806f9822a960b6a6434041a931506ba2b764f7a19943c3263c54382e419 |
| SHA512 | e4aa379bb4e56796403316158a55a5d8f033b62bdfc7223ef9b27ddced207c59e179d538328e17eff7ffdccfb066dabcd63d69bf6ac588a83383afbf478ca2d1 |
memory/4472-8-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/4472-13-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/4472-18-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/4472-21-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/4472-26-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/4472-31-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/4472-34-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/4472-39-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/4472-42-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/4472-47-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/4472-52-0x0000000000400000-0x0000000000DCD000-memory.dmp
memory/4472-55-0x0000000000400000-0x0000000000DCD000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-14 09:26
Reported
2024-06-14 09:28
Platform
win7-20240611-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe
"C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe"
Network
Files
memory/1244-0-0x0000000000400000-0x000000000092E000-memory.dmp
memory/1244-1-0x0000000077970000-0x0000000077972000-memory.dmp
memory/1244-2-0x0000000000401000-0x00000000004BA000-memory.dmp
memory/1244-3-0x0000000000400000-0x000000000092E000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-14 09:26
Reported
2024-06-14 09:28
Platform
win7-20240508-en
Max time kernel
141s
Max time network
120s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 480
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | protector-market.net | udp |
Files
memory/2404-0-0x0000000074B30000-0x0000000074F81000-memory.dmp
memory/2404-1-0x0000000074B50000-0x0000000074FA1000-memory.dmp
memory/2404-3-0x0000000074B30000-0x0000000074F81000-memory.dmp
memory/2404-2-0x00000000746F0000-0x0000000074B41000-memory.dmp
memory/2404-6-0x0000000074B50000-0x0000000074FA1000-memory.dmp
memory/2404-7-0x00000000746F0000-0x0000000074B41000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-14 09:26
Reported
2024-06-14 09:29
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
100s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3900 wrote to memory of 5068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3900 wrote to memory of 5068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3900 wrote to memory of 5068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5068 -ip 5068
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | protector-market.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.22.237:443 | g.bing.com | tcp |
| BE | 88.221.83.250:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.22.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/5068-0-0x0000000074690000-0x0000000074AE1000-memory.dmp
memory/5068-2-0x0000000074690000-0x0000000074AE1000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-14 09:26
Reported
2024-06-14 09:29
Platform
win7-20240611-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe"
Network
Files
memory/2404-0-0x0000000000400000-0x0000000001118000-memory.dmp
memory/2404-3-0x0000000000400000-0x0000000001118000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-14 09:26
Reported
2024-06-14 09:28
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\[RHX]-Launcher.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4384-0-0x0000000000400000-0x0000000001118000-memory.dmp
memory/4384-2-0x0000000000400000-0x0000000001118000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-14 09:26
Reported
2024-06-14 09:28
Platform
win10v2004-20240611-en
Max time kernel
141s
Max time network
95s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe
"C:\Users\Admin\AppData\Local\Temp\[RHX]-RestoreGame.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| BE | 88.221.83.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/3204-0-0x0000000000400000-0x000000000092E000-memory.dmp
memory/3204-1-0x0000000077814000-0x0000000077816000-memory.dmp
memory/3204-2-0x0000000000401000-0x00000000004BA000-memory.dmp
memory/3204-3-0x0000000000400000-0x000000000092E000-memory.dmp