Analysis Overview
SHA256
0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3
Threat Level: Known bad
The file 7Dh9pl21mjWDN3A.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-05 06:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 06:47
Reported
2024-08-05 06:49
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
NanoCore
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Subsystem = "C:\\Program Files (x86)\\WPA Subsystem\\wpass.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2328 set thread context of 3256 | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\WPA Subsystem\wpass.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WPA Subsystem\wpass.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe
"C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mzHFviYTm.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mzHFviYTm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEA7F.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpED2F.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpED5E.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.69.169.192.in-addr.arpa | udp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
Files
memory/2328-0-0x00000000746DE000-0x00000000746DF000-memory.dmp
memory/2328-1-0x0000000000350000-0x00000000003FE000-memory.dmp
memory/2328-2-0x00000000053B0000-0x0000000005954000-memory.dmp
memory/2328-3-0x0000000004E00000-0x0000000004E92000-memory.dmp
memory/2328-4-0x0000000004DD0000-0x0000000004DDA000-memory.dmp
memory/2328-5-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/2328-6-0x0000000005230000-0x0000000005248000-memory.dmp
memory/2328-7-0x0000000005370000-0x000000000537E000-memory.dmp
memory/2328-8-0x0000000005390000-0x00000000053A6000-memory.dmp
memory/2328-9-0x0000000008B90000-0x0000000008C0C000-memory.dmp
memory/2328-10-0x0000000008990000-0x0000000008A2C000-memory.dmp
memory/4196-15-0x0000000005280000-0x00000000052B6000-memory.dmp
memory/2328-16-0x00000000746DE000-0x00000000746DF000-memory.dmp
memory/4196-17-0x0000000005AB0000-0x00000000060D8000-memory.dmp
memory/4196-18-0x00000000746D0000-0x0000000074E80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpEA7F.tmp
| MD5 | 983051ffea569d014206cbdc8539ccc6 |
| SHA1 | 9dbd02f13e735c507ec73ebd0b167ff535d6b7ee |
| SHA256 | 28533c0eb0b6c8df09b327cc9602080739457f8b0d874667714635a6d196c172 |
| SHA512 | a4a3c19a860140d53d8d482fec19b2d31d49dcacd8306c138b65d5b7ef201c325b2f310b9e2f9488fecc9007b118db9ab8aacaa07f62534690f42c432afae2be |
memory/4196-20-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/4196-22-0x0000000005910000-0x0000000005976000-memory.dmp
memory/4196-23-0x0000000005980000-0x00000000059E6000-memory.dmp
memory/4196-29-0x00000000746D0000-0x0000000074E80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_111ldjnw.ey4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3256-30-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4196-21-0x0000000005870000-0x0000000005892000-memory.dmp
memory/4196-36-0x00000000061F0000-0x0000000006544000-memory.dmp
memory/3256-38-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/2328-37-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/2328-39-0x00000000746D0000-0x0000000074E80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpED2F.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
C:\Users\Admin\AppData\Local\Temp\tmpED5E.tmp
| MD5 | 4365cd1ae65923a319ef2683a45891fe |
| SHA1 | 85dde233112660e31c53884aedfbad52e4547e09 |
| SHA256 | 84b6ce4ba26fa6fb57fa70b9ad191f7c42c71e259897955b5d514385bcd91b58 |
| SHA512 | d1bd24f504c5c2ecaa3ae98268ccc2e400ea3e16980c6caf394eadf7738225e4d5578fbe62bbe2de3fe0cb56a0d76bb3fc84cef3b9cd2f3d8be6d0becefdc035 |
memory/3256-47-0x0000000005B30000-0x0000000005B3A000-memory.dmp
memory/3256-50-0x00000000067B0000-0x00000000067BA000-memory.dmp
memory/3256-49-0x0000000006770000-0x000000000678E000-memory.dmp
memory/3256-48-0x0000000006760000-0x000000000676C000-memory.dmp
memory/4196-51-0x0000000006830000-0x000000000684E000-memory.dmp
memory/4196-52-0x0000000006880000-0x00000000068CC000-memory.dmp
memory/4196-53-0x0000000006E00000-0x0000000006E32000-memory.dmp
memory/4196-54-0x0000000070CF0000-0x0000000070D3C000-memory.dmp
memory/4196-64-0x0000000006E40000-0x0000000006E5E000-memory.dmp
memory/4196-65-0x0000000007A20000-0x0000000007AC3000-memory.dmp
memory/4196-66-0x00000000081A0000-0x000000000881A000-memory.dmp
memory/4196-67-0x0000000007B60000-0x0000000007B7A000-memory.dmp
memory/4196-68-0x0000000007BD0000-0x0000000007BDA000-memory.dmp
memory/4196-69-0x0000000007DE0000-0x0000000007E76000-memory.dmp
memory/4196-70-0x0000000007D60000-0x0000000007D71000-memory.dmp
memory/4196-71-0x0000000007D90000-0x0000000007D9E000-memory.dmp
memory/4196-72-0x0000000007DA0000-0x0000000007DB4000-memory.dmp
memory/4196-73-0x0000000007EA0000-0x0000000007EBA000-memory.dmp
memory/4196-74-0x0000000007E80000-0x0000000007E88000-memory.dmp
memory/4196-77-0x00000000746D0000-0x0000000074E80000-memory.dmp
memory/3256-78-0x00000000746D0000-0x0000000074E80000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 06:47
Reported
2024-08-05 06:50
Platform
win7-20240705-en
Max time kernel
133s
Max time network
144s
Command Line
Signatures
NanoCore
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Subsystem = "C:\\Program Files (x86)\\AGP Subsystem\\agpss.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1992 set thread context of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\AGP Subsystem\agpss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AGP Subsystem\agpss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe
"C:\Users\Admin\AppData\Local\Temp\7Dh9pl21mjWDN3A.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mzHFviYTm.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mzHFviYTm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFAC3.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFCE5.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFD34.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65140 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
| NL | 94.156.65.159:65140 | december2nd.ddns.net | tcp |
Files
memory/1992-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmp
memory/1992-1-0x0000000000AF0000-0x0000000000B9E000-memory.dmp
memory/1992-2-0x0000000074D10000-0x00000000753FE000-memory.dmp
memory/1992-3-0x00000000006F0000-0x0000000000708000-memory.dmp
memory/1992-4-0x00000000004A0000-0x00000000004AE000-memory.dmp
memory/1992-5-0x0000000000710000-0x0000000000726000-memory.dmp
memory/1992-6-0x0000000005940000-0x00000000059BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpFAC3.tmp
| MD5 | dfa09ddcfd1937a6af01dd0a99f1b2b7 |
| SHA1 | cf5af2524c4af1cbd40744c5dce520dc0b5d1340 |
| SHA256 | 24df013ee91967e64a038166c0cc155f8731b4dbe22538fad19831ed887009a1 |
| SHA512 | 6841306787671d4916ed49173801dca20de13c54c28451b7642983f29bc88d366fd7af7db01f01219614b769aed0bf3bd416aeee2234c0eea447812b74d0289f |
memory/2664-14-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2664-26-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2664-24-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2664-23-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2664-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2664-20-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2664-18-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2664-16-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1992-27-0x0000000074D10000-0x00000000753FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpFCE5.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
C:\Users\Admin\AppData\Local\Temp\tmpFD34.tmp
| MD5 | 8aefdc623880016d77594b1802f74db6 |
| SHA1 | 17608aaab6106247dec66a472516d023272c9b9b |
| SHA256 | ccd9d374a356e8635fe06015e07c986fb0e6f71099234ddc2935a6cb5e1571ac |
| SHA512 | bde73cc8244dcb054ff68b86df14ae644b0816aac8524e746e9bf0e68406c6d7e8ee6a0c642b11a9b197319b023c43fcbdc5eafe9c32e4011ad8065cea0b1eb5 |
memory/2664-35-0x0000000000530000-0x000000000053A000-memory.dmp
memory/2664-36-0x00000000006C0000-0x00000000006CC000-memory.dmp
memory/2664-37-0x00000000006D0000-0x00000000006EE000-memory.dmp
memory/2664-38-0x0000000000750000-0x000000000075A000-memory.dmp