Malware Analysis Report

2025-01-03 05:03

Sample ID 230321-rwf4dsda9t
Target 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.zip
SHA256 6c3b0f6fa0f3ea807c3a7ac53bfa13930c7b806020c8b7ccf2825b2b6f3ae771
Tags
bitrat redline infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c3b0f6fa0f3ea807c3a7ac53bfa13930c7b806020c8b7ccf2825b2b6f3ae771

Threat Level: Known bad

The file 4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.zip was found to be: Known bad.

Malicious Activity Summary

bitrat redline infostealer trojan

RedLine

BitRAT

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-21 14:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-21 14:32

Reported

2023-03-21 14:35

Platform

win7-20230220-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe"

Signatures

BitRAT

trojan bitrat

RedLine

infostealer redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rr.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1532 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1532 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1532 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1532 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1532 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1532 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1532 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1532 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1532 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1532 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1532 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1532 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1532 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Users\Admin\AppData\Local\Temp\rr.exe
PID 1532 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Users\Admin\AppData\Local\Temp\rr.exe
PID 1532 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Users\Admin\AppData\Local\Temp\rr.exe
PID 1532 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Users\Admin\AppData\Local\Temp\rr.exe
PID 1532 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Users\Admin\AppData\Local\Temp\rr.exe
PID 1532 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Users\Admin\AppData\Local\Temp\rr.exe
PID 1532 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Users\Admin\AppData\Local\Temp\rr.exe
PID 596 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 596 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 596 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 596 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 596 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 596 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 596 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 596 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 596 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe

"C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\rr.exe

"C:\Users\Admin\AppData\Local\Temp\rr.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
NL 185.246.220.122:7164 tcp
NL 185.246.220.122:1488 tcp
NL 185.246.220.122:1488 tcp
NL 185.246.220.122:7164 tcp
NL 185.246.220.122:7164 tcp
NL 185.246.220.122:1488 tcp
NL 185.246.220.122:7164 tcp
NL 185.246.220.122:1488 tcp
NL 185.246.220.122:7164 tcp
NL 185.246.220.122:7164 tcp
NL 185.246.220.122:1488 tcp

Files

memory/1532-54-0x00000000001E0000-0x0000000000616000-memory.dmp

memory/1532-55-0x0000000006730000-0x0000000006B4A000-memory.dmp

memory/936-56-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-57-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-58-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-59-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-60-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-61-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-62-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-63-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1532-65-0x00000000009E0000-0x0000000000A20000-memory.dmp

memory/936-64-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-68-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-69-0x0000000000400000-0x00000000007CE000-memory.dmp

\Users\Admin\AppData\Local\Temp\rr.exe

MD5 3f2f9975e1964be99f7e51ddc30f8c07
SHA1 1e6d873c70d4ac66daf350087a50409050eeeaff
SHA256 843dc782676a45c6e1ab1197fe4d16ba3bc57943423eca12ec2b69ece68ac32f
SHA512 89848eb83bced651355f5d8f5fe767fe7830ebe4287be4345223438318246089710e5393a4a75b7cf5c5eb2df22429ebd56f248b46e628c44ea8f5df88c5fb0d

C:\Users\Admin\AppData\Local\Temp\rr.exe

MD5 3f2f9975e1964be99f7e51ddc30f8c07
SHA1 1e6d873c70d4ac66daf350087a50409050eeeaff
SHA256 843dc782676a45c6e1ab1197fe4d16ba3bc57943423eca12ec2b69ece68ac32f
SHA512 89848eb83bced651355f5d8f5fe767fe7830ebe4287be4345223438318246089710e5393a4a75b7cf5c5eb2df22429ebd56f248b46e628c44ea8f5df88c5fb0d

C:\Users\Admin\AppData\Local\Temp\rr.exe

MD5 3f2f9975e1964be99f7e51ddc30f8c07
SHA1 1e6d873c70d4ac66daf350087a50409050eeeaff
SHA256 843dc782676a45c6e1ab1197fe4d16ba3bc57943423eca12ec2b69ece68ac32f
SHA512 89848eb83bced651355f5d8f5fe767fe7830ebe4287be4345223438318246089710e5393a4a75b7cf5c5eb2df22429ebd56f248b46e628c44ea8f5df88c5fb0d

memory/596-76-0x0000000001270000-0x00000000012C6000-memory.dmp

memory/596-77-0x00000000009A0000-0x00000000009D0000-memory.dmp

memory/320-78-0x0000000000400000-0x0000000000432000-memory.dmp

memory/320-79-0x0000000000400000-0x0000000000432000-memory.dmp

memory/320-80-0x0000000000400000-0x0000000000432000-memory.dmp

memory/320-81-0x0000000000400000-0x0000000000432000-memory.dmp

memory/320-82-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/320-83-0x0000000000400000-0x0000000000432000-memory.dmp

memory/320-85-0x0000000000400000-0x0000000000432000-memory.dmp

memory/320-87-0x0000000000400000-0x0000000000432000-memory.dmp

memory/596-88-0x0000000004B00000-0x0000000004B40000-memory.dmp

memory/320-90-0x0000000002310000-0x0000000002350000-memory.dmp

memory/936-91-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-93-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-95-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-96-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-97-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1532-98-0x00000000009E0000-0x0000000000A20000-memory.dmp

memory/936-99-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/596-100-0x0000000004B00000-0x0000000004B40000-memory.dmp

memory/320-101-0x0000000002310000-0x0000000002350000-memory.dmp

memory/936-102-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-103-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-105-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-104-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-106-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-107-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-108-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/936-109-0x0000000000400000-0x00000000007CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-21 14:32

Reported

2023-03-21 14:35

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe"

Signatures

BitRAT

trojan bitrat

RedLine

infostealer redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rr.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3288 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3288 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3288 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3288 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3288 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3288 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3288 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3288 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3288 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3288 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3288 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3288 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Users\Admin\AppData\Local\Temp\rr.exe
PID 3288 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Users\Admin\AppData\Local\Temp\rr.exe
PID 3288 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe C:\Users\Admin\AppData\Local\Temp\rr.exe
PID 4200 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4200 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4200 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4200 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4200 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4200 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4200 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4200 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\rr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe

"C:\Users\Admin\AppData\Local\Temp\4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\rr.exe

"C:\Users\Admin\AppData\Local\Temp\rr.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
NL 185.246.220.122:7164 tcp
NL 185.246.220.122:1488 tcp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 37.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 185.246.220.122:1488 tcp
NL 185.246.220.122:7164 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 13.89.179.9:443 tcp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
NL 173.223.113.164:443 tcp
NL 185.246.220.122:7164 tcp
NL 185.246.220.122:1488 tcp
US 52.152.108.96:443 tcp
NL 185.246.220.122:7164 tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
NL 185.246.220.122:1488 tcp
NL 185.246.220.122:7164 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
NL 185.246.220.122:7164 tcp
NL 185.246.220.122:1488 tcp

Files

memory/3288-133-0x0000000000DC0000-0x00000000011F6000-memory.dmp

memory/3288-134-0x0000000005BD0000-0x0000000005BE0000-memory.dmp

memory/3992-135-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-137-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-138-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-139-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rr.exe

MD5 3f2f9975e1964be99f7e51ddc30f8c07
SHA1 1e6d873c70d4ac66daf350087a50409050eeeaff
SHA256 843dc782676a45c6e1ab1197fe4d16ba3bc57943423eca12ec2b69ece68ac32f
SHA512 89848eb83bced651355f5d8f5fe767fe7830ebe4287be4345223438318246089710e5393a4a75b7cf5c5eb2df22429ebd56f248b46e628c44ea8f5df88c5fb0d

C:\Users\Admin\AppData\Local\Temp\rr.exe

MD5 3f2f9975e1964be99f7e51ddc30f8c07
SHA1 1e6d873c70d4ac66daf350087a50409050eeeaff
SHA256 843dc782676a45c6e1ab1197fe4d16ba3bc57943423eca12ec2b69ece68ac32f
SHA512 89848eb83bced651355f5d8f5fe767fe7830ebe4287be4345223438318246089710e5393a4a75b7cf5c5eb2df22429ebd56f248b46e628c44ea8f5df88c5fb0d

C:\Users\Admin\AppData\Local\Temp\rr.exe

MD5 3f2f9975e1964be99f7e51ddc30f8c07
SHA1 1e6d873c70d4ac66daf350087a50409050eeeaff
SHA256 843dc782676a45c6e1ab1197fe4d16ba3bc57943423eca12ec2b69ece68ac32f
SHA512 89848eb83bced651355f5d8f5fe767fe7830ebe4287be4345223438318246089710e5393a4a75b7cf5c5eb2df22429ebd56f248b46e628c44ea8f5df88c5fb0d

memory/4200-150-0x0000000000200000-0x0000000000256000-memory.dmp

memory/228-151-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4200-152-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/228-153-0x0000000005CA0000-0x00000000062B8000-memory.dmp

memory/228-154-0x0000000005820000-0x000000000592A000-memory.dmp

memory/228-155-0x0000000005750000-0x0000000005762000-memory.dmp

memory/228-156-0x00000000057B0000-0x00000000057EC000-memory.dmp

memory/228-157-0x0000000005A60000-0x0000000005A70000-memory.dmp

memory/3992-158-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-159-0x000000006D600000-0x000000006D639000-memory.dmp

memory/3992-160-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-161-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-162-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-163-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-164-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-165-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-166-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3288-167-0x0000000005BD0000-0x0000000005BE0000-memory.dmp

memory/3992-168-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4200-169-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/228-170-0x0000000005A60000-0x0000000005A70000-memory.dmp

memory/3992-171-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-172-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-173-0x000000006D570000-0x000000006D5A9000-memory.dmp

memory/3992-174-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-175-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-176-0x000000006D570000-0x000000006D5A9000-memory.dmp

memory/3992-177-0x000000006D600000-0x000000006D639000-memory.dmp

memory/3992-178-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-179-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-180-0x000000006D570000-0x000000006D5A9000-memory.dmp

memory/3992-181-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-182-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3992-183-0x000000006D570000-0x000000006D5A9000-memory.dmp