Malware Analysis Report

2025-08-05 13:52

Sample ID 220621-mdm2rsfbf6
Target networksec.exe.vir
SHA256 25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21
Tags
xloader a2es loader persistence rat suricata spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21

Threat Level: Known bad

The file networksec.exe.vir was found to be: Known bad.

Malicious Activity Summary

xloader a2es loader persistence rat suricata spyware stealer

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Adds policy Run key to start application

Reads user/profile data of web browsers

Deletes itself

Suspicious use of SetThreadContext

Drops file in Program Files directory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-21 10:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-21 10:21

Reported

2022-06-21 10:23

Platform

win7-20220414-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BX44A = "C:\\Program Files (x86)\\Y0x6h\\gdie2aprv_h.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2040 set thread context of 1632 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Users\Admin\AppData\Local\Temp\networksec.exe
PID 1632 set thread context of 1248 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Windows\Explorer.EXE
PID 1632 set thread context of 1248 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Windows\Explorer.EXE
PID 804 set thread context of 1248 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Y0x6h\gdie2aprv_h.exe C:\Windows\SysWOW64\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Users\Admin\AppData\Local\Temp\networksec.exe
PID 2040 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Users\Admin\AppData\Local\Temp\networksec.exe
PID 2040 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Users\Admin\AppData\Local\Temp\networksec.exe
PID 2040 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Users\Admin\AppData\Local\Temp\networksec.exe
PID 2040 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Users\Admin\AppData\Local\Temp\networksec.exe
PID 2040 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Users\Admin\AppData\Local\Temp\networksec.exe
PID 2040 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Users\Admin\AppData\Local\Temp\networksec.exe
PID 1248 wrote to memory of 804 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 1248 wrote to memory of 804 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 1248 wrote to memory of 804 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 1248 wrote to memory of 804 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 804 wrote to memory of 1688 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 1688 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 1688 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 1688 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 888 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 804 wrote to memory of 888 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 804 wrote to memory of 888 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 804 wrote to memory of 888 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 804 wrote to memory of 888 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\networksec.exe

"C:\Users\Admin\AppData\Local\Temp\networksec.exe"

C:\Users\Admin\AppData\Local\Temp\networksec.exe

"C:\Users\Admin\AppData\Local\Temp\networksec.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\SysWOW64\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\networksec.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.klapia.online udp
ES 31.214.178.54:80 www.klapia.online tcp
US 8.8.8.8:53 www.katescakesandcreations.com udp
US 103.224.212.221:80 www.katescakesandcreations.com tcp
US 8.8.8.8:53 www.kalycollcwn.info udp
US 172.67.154.199:80 www.kalycollcwn.info tcp
US 8.8.8.8:53 www.berendsit.com udp
US 69.57.161.110:80 www.berendsit.com tcp
US 8.8.8.8:53 www.loansbill-pay.website udp
US 35.165.255.15:80 www.loansbill-pay.website tcp
US 35.165.255.15:80 www.loansbill-pay.website tcp
US 8.8.8.8:53 www.coraorganizing.com udp
US 35.208.42.134:80 www.coraorganizing.com tcp
US 35.208.42.134:80 www.coraorganizing.com tcp
US 8.8.8.8:53 www.smartmindstutorials.com udp
US 188.114.97.0:80 www.smartmindstutorials.com tcp
US 188.114.97.0:80 www.smartmindstutorials.com tcp

Files

memory/2040-54-0x00000000013C0000-0x000000000143C000-memory.dmp

memory/2040-55-0x0000000076261000-0x0000000076263000-memory.dmp

memory/2040-56-0x0000000000520000-0x000000000052E000-memory.dmp

memory/2040-57-0x0000000005A60000-0x0000000005ACA000-memory.dmp

memory/2040-58-0x00000000007B0000-0x00000000007E2000-memory.dmp

memory/1632-59-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1632-60-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1632-62-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1632-63-0x000000000041F2B0-mapping.dmp

memory/1632-65-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1632-66-0x0000000000820000-0x0000000000B23000-memory.dmp

memory/1632-67-0x0000000000250000-0x0000000000261000-memory.dmp

memory/1248-68-0x0000000006360000-0x00000000064DE000-memory.dmp

memory/1632-70-0x0000000000380000-0x0000000000391000-memory.dmp

memory/1248-71-0x0000000006CF0000-0x0000000006E69000-memory.dmp

memory/804-72-0x0000000000000000-mapping.dmp

memory/1632-73-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1688-74-0x0000000000000000-mapping.dmp

memory/804-75-0x00000000008F0000-0x00000000008F8000-memory.dmp

memory/804-76-0x0000000000900000-0x0000000000C03000-memory.dmp

memory/804-77-0x0000000000080000-0x00000000000AB000-memory.dmp

memory/804-78-0x0000000000440000-0x00000000004D0000-memory.dmp

memory/1248-79-0x0000000006B10000-0x0000000006C64000-memory.dmp

memory/804-80-0x0000000000080000-0x00000000000AB000-memory.dmp

memory/1248-81-0x0000000006B10000-0x0000000006C64000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-21 10:21

Reported

2022-06-21 10:23

Platform

win10v2004-20220414-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\colorcpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NHSDRZI = "C:\\Program Files (x86)\\Cib1p9hmx\\vf-8irujo4aht.exe" C:\Windows\SysWOW64\colorcpl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4052 set thread context of 1096 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Users\Admin\AppData\Local\Temp\networksec.exe
PID 1096 set thread context of 672 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Windows\Explorer.EXE
PID 4680 set thread context of 672 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Cib1p9hmx\vf-8irujo4aht.exe C:\Windows\SysWOW64\colorcpl.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\colorcpl.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\colorcpl.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\colorcpl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4052 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Users\Admin\AppData\Local\Temp\networksec.exe
PID 4052 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Users\Admin\AppData\Local\Temp\networksec.exe
PID 4052 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Users\Admin\AppData\Local\Temp\networksec.exe
PID 4052 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Users\Admin\AppData\Local\Temp\networksec.exe
PID 4052 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Users\Admin\AppData\Local\Temp\networksec.exe
PID 4052 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\networksec.exe C:\Users\Admin\AppData\Local\Temp\networksec.exe
PID 672 wrote to memory of 4680 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\colorcpl.exe
PID 672 wrote to memory of 4680 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\colorcpl.exe
PID 672 wrote to memory of 4680 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\colorcpl.exe
PID 4680 wrote to memory of 444 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 444 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 444 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 2404 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 2404 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 2404 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 1148 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 1148 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 1148 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 1664 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 4680 wrote to memory of 1664 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 4680 wrote to memory of 1664 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\networksec.exe

"C:\Users\Admin\AppData\Local\Temp\networksec.exe"

C:\Users\Admin\AppData\Local\Temp\networksec.exe

"C:\Users\Admin\AppData\Local\Temp\networksec.exe"

C:\Windows\SysWOW64\colorcpl.exe

"C:\Windows\SysWOW64\colorcpl.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\networksec.exe"

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
GB 173.222.211.107:80 tcp
GB 173.222.211.107:80 tcp
IE 13.69.239.72:443 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 www.klapia.online udp
ES 31.214.178.54:80 www.klapia.online tcp
US 8.8.8.8:53 www.berendsit.com udp
US 69.57.161.110:80 www.berendsit.com tcp
US 8.8.8.8:53 www.glutenfreebahrain.com udp
US 34.102.136.180:80 www.glutenfreebahrain.com tcp
US 34.102.136.180:80 www.glutenfreebahrain.com tcp
US 34.102.136.180:80 www.glutenfreebahrain.com tcp
US 8.8.8.8:53 www.ckhla.com udp
DE 3.64.163.50:80 www.ckhla.com tcp
DE 3.64.163.50:80 www.ckhla.com tcp
DE 3.64.163.50:80 www.ckhla.com tcp
US 8.8.8.8:53 www.katescakesandcreations.com udp
US 103.224.212.221:80 www.katescakesandcreations.com tcp
US 103.224.212.221:80 www.katescakesandcreations.com tcp
US 103.224.212.221:80 www.katescakesandcreations.com tcp
US 8.8.8.8:53 www.needgreatwork.com udp
GB 35.197.227.153:80 www.needgreatwork.com tcp
GB 35.197.227.153:80 www.needgreatwork.com tcp
GB 35.197.227.153:80 www.needgreatwork.com tcp
US 8.8.8.8:53 www.tvmountinstallguy.com udp
US 74.208.236.209:80 www.tvmountinstallguy.com tcp
US 74.208.236.209:80 www.tvmountinstallguy.com tcp
US 74.208.236.209:80 www.tvmountinstallguy.com tcp
NL 104.123.41.162:80 tcp
US 8.8.8.8:53 www.mideazhiyou.com udp
US 38.63.251.105:80 www.mideazhiyou.com tcp
US 38.63.251.105:80 www.mideazhiyou.com tcp
US 38.63.251.105:80 www.mideazhiyou.com tcp
US 8.8.8.8:53 www.choicegoodsshop.com udp
US 164.155.217.147:80 www.choicegoodsshop.com tcp
US 164.155.217.147:80 www.choicegoodsshop.com tcp
US 164.155.217.147:80 www.choicegoodsshop.com tcp
US 8.8.8.8:53 www.princesskinnymixers.com udp
DE 3.64.163.50:80 www.princesskinnymixers.com tcp
DE 3.64.163.50:80 www.princesskinnymixers.com tcp
DE 3.64.163.50:80 www.princesskinnymixers.com tcp
US 8.8.8.8:53 www.roboticsdatascience.com udp
US 34.102.136.180:80 www.roboticsdatascience.com tcp
US 34.102.136.180:80 www.roboticsdatascience.com tcp
US 34.102.136.180:80 www.roboticsdatascience.com tcp
US 8.8.8.8:53 www.cxy.cool udp
US 8.8.8.8:53 www.sportrid.com udp
HK 103.160.204.3:80 www.sportrid.com tcp
HK 103.160.204.3:80 www.sportrid.com tcp
HK 103.160.204.3:80 www.sportrid.com tcp
US 8.8.8.8:53 www.js-films.com udp
US 170.130.32.106:80 www.js-films.com tcp
US 170.130.32.106:80 www.js-films.com tcp
US 170.130.32.106:80 www.js-films.com tcp
US 8.8.8.8:53 www.theskinrevive.com udp

Files

memory/4052-130-0x0000000000490000-0x000000000050C000-memory.dmp

memory/4052-131-0x0000000005390000-0x0000000005934000-memory.dmp

memory/4052-132-0x0000000004EA0000-0x0000000004F32000-memory.dmp

memory/4052-133-0x0000000005050000-0x000000000505A000-memory.dmp

memory/4052-134-0x0000000008760000-0x00000000087FC000-memory.dmp

memory/1096-135-0x0000000000000000-mapping.dmp

memory/1096-136-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1096-138-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1096-139-0x0000000001710000-0x0000000001A5A000-memory.dmp

memory/1096-140-0x00000000016B0000-0x00000000016C1000-memory.dmp

memory/672-141-0x0000000008E70000-0x000000000900C000-memory.dmp

memory/4680-142-0x0000000000000000-mapping.dmp

memory/444-143-0x0000000000000000-mapping.dmp

memory/4680-144-0x0000000000FB0000-0x0000000000FC9000-memory.dmp

memory/4680-146-0x0000000003140000-0x000000000348A000-memory.dmp

memory/4680-145-0x0000000000F00000-0x0000000000F2B000-memory.dmp

memory/672-148-0x0000000003360000-0x000000000345A000-memory.dmp

memory/4680-147-0x0000000002F60000-0x0000000002FF0000-memory.dmp

memory/4680-149-0x0000000000F00000-0x0000000000F2B000-memory.dmp

memory/672-150-0x0000000003360000-0x000000000345A000-memory.dmp

memory/2404-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 b608d407fc15adea97c26936bc6f03f6
SHA1 953e7420801c76393902c0d6bb56148947e41571
SHA256 b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512 cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

memory/1148-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574