Analysis Overview
SHA256
30c5d869f498b0f5829d0fee3c239cd2712fe3a14732026fe6daf8f92555439a
Threat Level: Known bad
The file JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf was found to be: Known bad.
Malicious Activity Summary
Blackshades family
Blackshades payload
Modifies firewall policy service
Blackshades
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-28 23:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-28 23:01
Reported
2025-01-28 23:04
Platform
win7-20241010-en
Max time kernel
148s
Max time network
140s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\6ZKY5N6S1Q.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6ZKY5N6S1Q.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Steamservice.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Steamservice.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Steamservice.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1196 set thread context of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe | C:\Users\Admin\AppData\Roaming\Steamservice.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Steamservice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Steamservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Steamservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Steamservice.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe"
C:\Users\Admin\AppData\Roaming\Steamservice.exe
C:\Users\Admin\AppData\Roaming\Steamservice.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Steamservice.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Steamservice.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\6ZKY5N6S1Q.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6ZKY5N6S1Q.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Steamservice.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Steamservice.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\6ZKY5N6S1Q.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6ZKY5N6S1Q.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 700
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | jir.zapto.org | udp |
Files
memory/1196-0-0x0000000073EDE000-0x0000000073EDF000-memory.dmp
memory/1196-1-0x00000000008D0000-0x000000000099C000-memory.dmp
memory/1196-2-0x0000000004DA0000-0x0000000004E6A000-memory.dmp
memory/1196-3-0x0000000073ED0000-0x00000000745BE000-memory.dmp
\Users\Admin\AppData\Roaming\Steamservice.exe
| MD5 | d8e7637c0c4889b318f1014bce3a3f66 |
| SHA1 | 1ddb18c609fca498b7f41cf70dfd295b91f95ab9 |
| SHA256 | cf67a5b89de19d3e9f91e3ebf43162caea7532a51689225161e97cd7b56a717f |
| SHA512 | bb5c82628a754975343cd192f3d656007e40c1e7a2c3d5dad5030f029783c2bdcb34d4b33768c5a4abbd6029692c1bde0bda9038a35e933d3e7669fbafe61791 |
memory/1324-11-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1196-15-0x0000000000640000-0x0000000000684000-memory.dmp
memory/1196-22-0x0000000073ED0000-0x00000000745BE000-memory.dmp
memory/1324-23-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1324-24-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1324-26-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1324-27-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1324-28-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1324-30-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1324-31-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1324-34-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1324-35-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1324-38-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1324-39-0x0000000000400000-0x000000000045A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-28 23:01
Reported
2025-01-30 14:34
Platform
win10v2004-20250129-en
Max time kernel
148s
Max time network
137s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Steamservice.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Steamservice.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\6ZKY5N6S1Q.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6ZKY5N6S1Q.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Steamservice.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5080 set thread context of 4860 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe | C:\Users\Admin\AppData\Roaming\Steamservice.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Steamservice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Steamservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Steamservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Steamservice.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50327a2c74bd40e5e4d103a3c4111fcf.exe"
C:\Users\Admin\AppData\Roaming\Steamservice.exe
C:\Users\Admin\AppData\Roaming\Steamservice.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Steamservice.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Steamservice.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\6ZKY5N6S1Q.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6ZKY5N6S1Q.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5080 -ip 5080
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Steamservice.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Steamservice.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\6ZKY5N6S1Q.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6ZKY5N6S1Q.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1156
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | jir.zapto.org | udp |
| US | 8.8.8.8:53 | 11.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jir.zapto.org | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jir.zapto.org | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jir.zapto.org | udp |
| US | 8.8.8.8:53 | jir.zapto.org | udp |
| US | 8.8.8.8:53 | 13.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jir.zapto.org | udp |
| US | 8.8.8.8:53 | jir.zapto.org | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jir.zapto.org | udp |
| US | 8.8.8.8:53 | jir.zapto.org | udp |
| US | 8.8.8.8:53 | jir.zapto.org | udp |
Files
memory/5080-0-0x000000007450E000-0x000000007450F000-memory.dmp
memory/5080-1-0x0000000000780000-0x000000000084C000-memory.dmp
memory/5080-2-0x0000000005930000-0x0000000005ED4000-memory.dmp
memory/5080-3-0x0000000074500000-0x0000000074CB0000-memory.dmp
memory/5080-4-0x0000000005380000-0x000000000544A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Steamservice.exe
| MD5 | d8e7637c0c4889b318f1014bce3a3f66 |
| SHA1 | 1ddb18c609fca498b7f41cf70dfd295b91f95ab9 |
| SHA256 | cf67a5b89de19d3e9f91e3ebf43162caea7532a51689225161e97cd7b56a717f |
| SHA512 | bb5c82628a754975343cd192f3d656007e40c1e7a2c3d5dad5030f029783c2bdcb34d4b33768c5a4abbd6029692c1bde0bda9038a35e933d3e7669fbafe61791 |
memory/4860-11-0x0000000000400000-0x000000000045A000-memory.dmp
memory/5080-14-0x0000000005210000-0x00000000052A2000-memory.dmp
memory/5080-12-0x0000000005550000-0x0000000005594000-memory.dmp
memory/5080-13-0x0000000005630000-0x00000000056CC000-memory.dmp
memory/5080-20-0x0000000005200000-0x000000000520A000-memory.dmp
memory/5080-21-0x00000000057C0000-0x0000000005816000-memory.dmp
memory/4860-7-0x0000000000400000-0x000000000045A000-memory.dmp
memory/5080-22-0x0000000074500000-0x0000000074CB0000-memory.dmp
memory/4860-23-0x0000000000400000-0x000000000045A000-memory.dmp
memory/4860-24-0x0000000000400000-0x000000000045A000-memory.dmp
memory/4860-27-0x0000000000400000-0x000000000045A000-memory.dmp
memory/4860-28-0x0000000000400000-0x000000000045A000-memory.dmp
memory/4860-30-0x0000000000400000-0x000000000045A000-memory.dmp
memory/4860-31-0x0000000000400000-0x000000000045A000-memory.dmp
memory/4860-32-0x0000000000400000-0x000000000045A000-memory.dmp
memory/4860-36-0x0000000000400000-0x000000000045A000-memory.dmp
memory/4860-37-0x0000000000400000-0x000000000045A000-memory.dmp
memory/4860-39-0x0000000000400000-0x000000000045A000-memory.dmp