Malware Analysis Report

2024-08-06 14:46

Sample ID 240701-kme2easaqd
Target 1aa528ae0762cc74e119112dd15e5bc8_JaffaCakes118
SHA256 ba2970f451e208bde517ed46ca8f7a55263d122a11bedaaf8188ff2a34c609d5
Tags
nanocore evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba2970f451e208bde517ed46ca8f7a55263d122a11bedaaf8188ff2a34c609d5

Threat Level: Known bad

The file 1aa528ae0762cc74e119112dd15e5bc8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger spyware stealer trojan

NanoCore

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-01 08:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-01 08:42

Reported

2024-07-01 08:45

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr" /S

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 556 set thread context of 1508 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 556 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Windows\SysWOW64\schtasks.exe
PID 556 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Windows\SysWOW64\schtasks.exe
PID 556 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Windows\SysWOW64\schtasks.exe
PID 556 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr
PID 556 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr
PID 556 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr
PID 556 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr
PID 556 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr
PID 556 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr
PID 556 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr
PID 556 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr

Processes

C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr

"C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr" /S

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sivatVvbFbzxFj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD88D.tmp"

C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp

Files

memory/556-0-0x000000007532E000-0x000000007532F000-memory.dmp

memory/556-1-0x0000000000A80000-0x0000000000B30000-memory.dmp

memory/556-2-0x0000000005B50000-0x00000000060F4000-memory.dmp

memory/556-3-0x00000000055A0000-0x0000000005632000-memory.dmp

memory/556-4-0x0000000005530000-0x000000000553A000-memory.dmp

memory/556-5-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/556-6-0x0000000006C70000-0x0000000006D0C000-memory.dmp

memory/556-7-0x00000000056C0000-0x00000000056C8000-memory.dmp

memory/556-8-0x000000007532E000-0x000000007532F000-memory.dmp

memory/556-9-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/556-10-0x0000000006FD0000-0x0000000007060000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD88D.tmp

MD5 d859191a439a243b1d64294556f6ffd2
SHA1 3c8b06a9edfdc1f1f5ba2de4a783853b2321c83c
SHA256 ca294cfd760b8eb15f262870caa654db17eeb745504f077f2cd49bc3c7e16718
SHA512 2a8e8c5dc4f07316559f6cfab987f2a64a3505d9ee473a0804c83760924c80205bcffec14ec8c7c36fe747ac7717c00226abd7cecf2de3d53bb57766fb7e36c9

memory/1508-14-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/556-17-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/1508-18-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/1508-19-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/1508-21-0x00000000054E0000-0x00000000054EA000-memory.dmp

memory/1508-22-0x0000000005640000-0x000000000565E000-memory.dmp

memory/1508-23-0x0000000005680000-0x000000000568A000-memory.dmp

memory/1508-24-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/1508-25-0x0000000075320000-0x0000000075AD0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-01 08:42

Reported

2024-07-01 08:45

Platform

win7-20240220-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr" /S

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2924 set thread context of 1656 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Windows\SysWOW64\schtasks.exe
PID 2924 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Windows\SysWOW64\schtasks.exe
PID 2924 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Windows\SysWOW64\schtasks.exe
PID 2924 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Windows\SysWOW64\schtasks.exe
PID 2924 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr
PID 2924 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr
PID 2924 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr
PID 2924 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr
PID 2924 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr
PID 2924 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr
PID 2924 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr
PID 2924 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr
PID 2924 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr

Processes

C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr

"C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr" /S

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sivatVvbFbzxFj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9878.tmp"

C:\Users\Admin\AppData\Local\Temp\PO,,, Quote No. 291177_255564GYH01 1192643-2152021,pdf.scr

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp
US 8.8.8.8:53 newlogs.ddns.net udp
US 8.8.4.4:53 newlogs.ddns.net udp

Files

memory/2924-0-0x000000007423E000-0x000000007423F000-memory.dmp

memory/2924-1-0x00000000013C0000-0x0000000001470000-memory.dmp

memory/2924-2-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2924-3-0x0000000000330000-0x0000000000338000-memory.dmp

memory/2924-4-0x000000007423E000-0x000000007423F000-memory.dmp

memory/2924-5-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2924-6-0x0000000005210000-0x00000000052A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9878.tmp

MD5 1d3db4cc966060969b4740034808396a
SHA1 37a195d071fac2ed7ad29722532e32589391c150
SHA256 c41e504d75dfcca6843edc89ceb73782d313ff69a72cb3f437a57846b011eece
SHA512 da291d98cf17316cecfffc356480239982d2fae9c1021ca395d4a29d111ff4b5ae5847dad59046e04b711cddf80a522595a6f2dac27d5b2cbbde51fb03b7095e

memory/1656-10-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1656-11-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1656-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1656-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1656-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1656-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1656-12-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1656-16-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2924-21-0x0000000074230000-0x000000007491E000-memory.dmp

memory/1656-23-0x0000000000630000-0x000000000063A000-memory.dmp

memory/1656-24-0x0000000000640000-0x000000000065E000-memory.dmp

memory/1656-25-0x0000000000660000-0x000000000066A000-memory.dmp