Malware Analysis Report

2024-08-06 14:46

Sample ID 240615-nw8lvsyhqh
Target ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118
SHA256 abc86a30c916c9a2531c12335b85fd23202cdd8f59f3a273d325f9f585128606
Tags
nanocore keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abc86a30c916c9a2531c12335b85fd23202cdd8f59f3a273d325f9f585128606

Threat Level: Known bad

The file ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger spyware stealer trojan

NanoCore

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 11:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 11:45

Reported

2024-06-15 11:48

Platform

win7-20240611-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2844 set thread context of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2844 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2844 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2844 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2844 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 2844 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 2844 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 2844 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 2844 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 2844 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 2844 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 2844 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 2844 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 2672 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IcyOBKPuqiF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpADFB.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAF43.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp
US 8.8.8.8:53 moregrace.duckdns.org udp
NL 2.58.149.83:443 moregrace.duckdns.org tcp

Files

memory/2844-0-0x0000000074761000-0x0000000074762000-memory.dmp

memory/2844-1-0x0000000074760000-0x0000000074D0B000-memory.dmp

memory/2844-2-0x0000000074760000-0x0000000074D0B000-memory.dmp

memory/2844-3-0x0000000074760000-0x0000000074D0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpADFB.tmp

MD5 33aea366553dbea6943a6d889cb771f5
SHA1 ff425e81951dff821c0078fac02a9f12303ecb50
SHA256 1a44615a9ccdff0a15dcb5acb91c602bd7ed7bc4142933ce719165487346d195
SHA512 d3c1cb1c589efd2f09262aba8af5673450678bda38c43c717b1268c10fc14ee08c3cc8358a1dd848cff5b1976f4837ba8b3ff4b503f0d1783f60ecdb8293a660

memory/2672-8-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2672-7-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2672-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2672-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2672-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2672-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2672-11-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2672-9-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAF43.tmp

MD5 ae766004c0d8792953bafffe8f6a2e3b
SHA1 14b12f27543a401e2fe0af8052e116cab0032426
SHA256 1abdd9b6a6b84e4ba1af1282dc84ce276c59ba253f4c4af05fea498a4fd99540
SHA512 e530da4a5d4336fc37838d0e93b5eb3804b9c489c71f6954a47fc81a4c655bb72ec493e109cf96e6e3617d7623ac80697ad3bbd5ffc6281bafc8b34dca5e6567

memory/2844-24-0x0000000074760000-0x0000000074D0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 11:45

Reported

2024-06-15 11:48

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3056 set thread context of 3520 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3056 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3056 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3056 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3056 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3056 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3056 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3056 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3056 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3056 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3056 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3056 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3056 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3056 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3520 wrote to memory of 3708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\SysWOW64\schtasks.exe
PID 3520 wrote to memory of 3708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\SysWOW64\schtasks.exe
PID 3520 wrote to memory of 3708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ae45ec757612c255a5e1a0e42e7f83f1_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4376,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IcyOBKPuqiF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C7E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"{path}"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"{path}"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8028.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 moregrace.duckdns.org udp
US 8.8.4.4:53 moregrace.duckdns.org udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 moregrace.duckdns.org udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 moregrace.duckdns.org udp
US 8.8.4.4:53 moregrace.duckdns.org udp
US 8.8.8.8:53 moregrace.duckdns.org udp
US 8.8.8.8:53 moregrace.duckdns.org udp
US 8.8.4.4:53 moregrace.duckdns.org udp
US 8.8.8.8:53 moregrace.duckdns.org udp

Files

memory/3056-0-0x0000000074E82000-0x0000000074E83000-memory.dmp

memory/3056-1-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/3056-2-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/3056-3-0x0000000074E82000-0x0000000074E83000-memory.dmp

memory/3056-4-0x0000000074E80000-0x0000000075431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7C7E.tmp

MD5 573c008721a0eb26b6d1b449688d0a4c
SHA1 33b9da5c2c87bc471a2dc10948783a25fda1a8e1
SHA256 3bf6999888e5568e027acb2571d59d8db05a8e3dd3977eeb123ba4d4063e82fd
SHA512 7e10f4066a09e1e73ee9bfbce1cfef25270d6d8a36c790644a7f0711be62c8f8ab0f90dfc5cda0717635f1a7f1fe35727c8abf70cac8d4ea35ee232be9c5abb9

memory/3520-8-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3520-10-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/3520-11-0x0000000074E80000-0x0000000075431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8028.tmp

MD5 ae766004c0d8792953bafffe8f6a2e3b
SHA1 14b12f27543a401e2fe0af8052e116cab0032426
SHA256 1abdd9b6a6b84e4ba1af1282dc84ce276c59ba253f4c4af05fea498a4fd99540
SHA512 e530da4a5d4336fc37838d0e93b5eb3804b9c489c71f6954a47fc81a4c655bb72ec493e109cf96e6e3617d7623ac80697ad3bbd5ffc6281bafc8b34dca5e6567

memory/3520-16-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/3056-17-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/3520-18-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/3520-19-0x0000000074E80000-0x0000000075431000-memory.dmp