Analysis Overview
SHA256
df57bad53e8a72aad344e6cc2644fe757cf2ae0744a8c0f1c6c0caff63379203
Threat Level: Known bad
The file 7285fe11585198388f629e081d1c0f83_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Checks BIOS information in registry
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-26 04:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 04:05
Reported
2024-07-26 04:36
Platform
win7-20240704-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
RevengeRAT
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Usermode Font Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Usermode Font Driver Host.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\getmac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe
"C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c getmac /v /fo list
C:\Windows\SysWOW64\getmac.exe
getmac /v /fo list
C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE
"C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE"
C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Chrome Updater" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {8FF2FF46-EBFA-4F1A-911C-13D83DD5B12F} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
Files
memory/2516-0-0x0000000001040000-0x0000000001312000-memory.dmp
memory/2516-1-0x0000000001040000-0x0000000001312000-memory.dmp
memory/2516-2-0x0000000001040000-0x0000000001312000-memory.dmp
memory/2516-3-0x00000000009A0000-0x00000000009D6000-memory.dmp
\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe
| MD5 | 76aca22cbb97f33600ac8a57643e9521 |
| SHA1 | 7f0fbe012460ff4ed705f2002190b72f717eab8f |
| SHA256 | d8ee7da90047416960c08869a251fac032fa0f9c8bf4ebb7de6ae92cdab5853a |
| SHA512 | 50d5cca22f2bb9229ab830b3783acda277716a5fe6c0c78060be727153cd1d35171cb1385dd2ad2a7b32a2c1b41fa6d954572f4843d270d8340df00744190ed0 |
memory/2700-10-0x0000000001290000-0x00000000012C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE
| MD5 | 6a62d4ed369105b26b6133f536160791 |
| SHA1 | f9e232fb7f7316fbaafcb817235e2406ebd8db79 |
| SHA256 | fb18c286d846003d2d2888749176b5b032e506eef01a44d3befe0eeed8e99f70 |
| SHA512 | ea9f9e627cae6ff9204416c97c8ba2db11a14a8aead72a999159c36f8e90e6136e50aafb84d25ff8c1dc1b6ebe1304ea88d4e4bbf5a72515d59653b12c143980 |
C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
| MD5 | 996f495437c25b794acafc4b0f945a84 |
| SHA1 | e22fb0120b9988928303323593478edad4887fa3 |
| SHA256 | d063370cbe1e2d284518607c87c2bcefe02a9446bfbcdf4edf61e340f576d89f |
| SHA512 | 0fe1086461e38966feec4a43efca63f7585a77ca8ed439ba8e631bc7bdfdb3b34fc3d0a9a285868b47819de80fc2686358833acec28c0eff4e6c1fbed1890d63 |
memory/2516-27-0x0000000001040000-0x0000000001312000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 04:05
Reported
2024-07-26 04:36
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
RevengeRAT
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Usermode Font Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Usermode Font Driver Host.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\getmac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe
"C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c getmac /v /fo list
C:\Windows\SysWOW64\getmac.exe
getmac /v /fo list
C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE
"C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE"
C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Chrome Updater" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | 89712.ddns.net | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/5000-0-0x00000000003D0000-0x00000000006A2000-memory.dmp
memory/5000-1-0x00000000003D0000-0x00000000006A2000-memory.dmp
memory/5000-2-0x00000000003D0000-0x00000000006A2000-memory.dmp
memory/5000-3-0x0000000006DC0000-0x0000000006DF6000-memory.dmp
memory/5000-4-0x00000000096C0000-0x000000000975C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe
| MD5 | 76aca22cbb97f33600ac8a57643e9521 |
| SHA1 | 7f0fbe012460ff4ed705f2002190b72f717eab8f |
| SHA256 | d8ee7da90047416960c08869a251fac032fa0f9c8bf4ebb7de6ae92cdab5853a |
| SHA512 | 50d5cca22f2bb9229ab830b3783acda277716a5fe6c0c78060be727153cd1d35171cb1385dd2ad2a7b32a2c1b41fa6d954572f4843d270d8340df00744190ed0 |
memory/1960-16-0x0000000000460000-0x0000000000492000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE
| MD5 | 6a62d4ed369105b26b6133f536160791 |
| SHA1 | f9e232fb7f7316fbaafcb817235e2406ebd8db79 |
| SHA256 | fb18c286d846003d2d2888749176b5b032e506eef01a44d3befe0eeed8e99f70 |
| SHA512 | ea9f9e627cae6ff9204416c97c8ba2db11a14a8aead72a999159c36f8e90e6136e50aafb84d25ff8c1dc1b6ebe1304ea88d4e4bbf5a72515d59653b12c143980 |
C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
| MD5 | 996f495437c25b794acafc4b0f945a84 |
| SHA1 | e22fb0120b9988928303323593478edad4887fa3 |
| SHA256 | d063370cbe1e2d284518607c87c2bcefe02a9446bfbcdf4edf61e340f576d89f |
| SHA512 | 0fe1086461e38966feec4a43efca63f7585a77ca8ed439ba8e631bc7bdfdb3b34fc3d0a9a285868b47819de80fc2686358833acec28c0eff4e6c1fbed1890d63 |
memory/5000-38-0x00000000003D0000-0x00000000006A2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Usermode Font Driver Host.exe.log
| MD5 | bd95ac96ff31d0b0495938dd64dae2e1 |
| SHA1 | 2a3b064d19c455097a55d56212afda1bde598281 |
| SHA256 | 6a7a49027aefabf3e2923afbb8ff2f1d7d35b95488dd410fa0ace874965c76a1 |
| SHA512 | 3f489a6e9e8f8400bcb76207fc024653641a30a9ee02cc8175173c341976dcc1715a6dcc4ea5b9abad884bdd9730e5f4062194c9fe9736e9ca4e6351f800709f |