Analysis Overview
SHA256
28fe91c48fa8583da9692cbdee3c2c32038d5dc3f8ca7dcd195f74511c1d6a78
Threat Level: Known bad
The file 96739a4d394217c2cbd895cf16acc0c8 was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
A310logger
StormKitty
A310logger Executable
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Reads local data of messenger clients
Looks up geolocation information via web service
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious behavior: MapViewOfSection
outlook_office_path
outlook_win_path
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-26 23:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-26 23:33
Reported
2023-12-28 18:05
Platform
win7-20231215-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
A310logger
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
A310logger Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1728 set thread context of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe |
| PID 2992 set thread context of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe |
| PID 2992 set thread context of 548 | N/A | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe |
| PID 2992 set thread context of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe
"C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe"
C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe
"C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
Files
memory/1728-1-0x0000000000130000-0x0000000000132000-memory.dmp
memory/1728-0-0x0000000000EB0000-0x0000000000EF0000-memory.dmp
memory/2992-2-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1728-4-0x0000000000EB0000-0x0000000000EF0000-memory.dmp
memory/2992-5-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2668-14-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2668-12-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2668-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2668-10-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2668-18-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2668-8-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2668-20-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2668-22-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2668-23-0x0000000074610000-0x0000000074BBB000-memory.dmp
memory/2668-24-0x0000000074610000-0x0000000074BBB000-memory.dmp
memory/2668-25-0x0000000000720000-0x0000000000760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab9974.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar9BC8.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f520172ad4d3346605f8781d6638d881 |
| SHA1 | f70be3a1775273845c9fada37b07b4876891fbdd |
| SHA256 | a448d898c6c00808d74e1cb63412738f160f08fa1163cc353c5ff160830f9dd1 |
| SHA512 | dbcf1b0f8bebc80214f21c11ad215ad31a5eb36f6a401bf3810c1141a0ca81e3fa3a54540cec27f3273c5b7f87a60d65ab98f5a9cd14d64a4f1eb5629bc402b9 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
| MD5 | 1bad0cbd09b05a21157d8255dc801778 |
| SHA1 | ff284bba12f011b72e20d4c9537d6c455cdbf228 |
| SHA256 | 218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9 |
| SHA512 | 4fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533 |
memory/2284-95-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp
memory/2284-96-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp
memory/2668-97-0x0000000074610000-0x0000000074BBB000-memory.dmp
memory/2992-98-0x0000000000400000-0x0000000000430000-memory.dmp
memory/548-112-0x0000000000400000-0x0000000000418000-memory.dmp
memory/548-114-0x0000000000400000-0x0000000000418000-memory.dmp
memory/548-115-0x0000000074530000-0x0000000074ADB000-memory.dmp
memory/548-116-0x0000000000450000-0x0000000000490000-memory.dmp
memory/548-117-0x0000000074530000-0x0000000074ADB000-memory.dmp
memory/548-118-0x0000000074530000-0x0000000074ADB000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6741115a553327b8aa6757ebbd10ad47 |
| SHA1 | dc60ef4c5e439deb3c385ebf64535b2a3da3122d |
| SHA256 | d82a74c8637f7ef88e1d21cd6c7084a3458eeeeae6f2579944c0b4b74696f929 |
| SHA512 | ad42dde7898f9e25dd1d97ce53017b37dc462c0b954b9d77376d91df47f55c86d32a7e5e2304b24e42060ac02d6b9776f8078a18cdb3e69e97f6f126e800e6b8 |
memory/2268-142-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp
memory/2268-144-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp
memory/2268-143-0x0000000000B90000-0x0000000000C10000-memory.dmp
memory/548-145-0x0000000074530000-0x0000000074ADB000-memory.dmp
memory/3024-159-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3024-161-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3024-162-0x00000000744E0000-0x0000000074A8B000-memory.dmp
memory/3024-163-0x00000000744E0000-0x0000000074A8B000-memory.dmp
memory/3024-164-0x0000000000DF0000-0x0000000000E30000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95f482dd865cd3226bbd736f84f630ef |
| SHA1 | 7aa4c728a9b0cac5ba9e61712bbaa4ac02845c6e |
| SHA256 | 11375dcd0a97de715cdcdd5dbad8d7ba89a10b3ac4800e0292152e7218a63ade |
| SHA512 | a56c6cabe5d5b75fda12b4d6eecb21b8c64a337d98b3ed51b81747b151193e64813b231b5e7973b63308548850638f3108c7a8e03476bf794ee92db175fcbc9d |
memory/2780-188-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp
memory/2780-189-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp
memory/3024-190-0x00000000744E0000-0x0000000074A8B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-26 23:33
Reported
2023-12-28 18:07
Platform
win10v2004-20231215-en
Max time kernel
125s
Max time network
125s
Command Line
Signatures
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4052 wrote to memory of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe |
| PID 4052 wrote to memory of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe |
| PID 4052 wrote to memory of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe | C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe
"C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe"
C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe
"C:\Users\Admin\AppData\Local\Temp\96739a4d394217c2cbd895cf16acc0c8.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.24:80 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 20.231.121.79:80 | tcp |
Files
memory/4052-1-0x0000000001590000-0x0000000001592000-memory.dmp
memory/4052-2-0x0000000000D50000-0x0000000000D90000-memory.dmp
memory/4052-0-0x0000000000D50000-0x0000000000D90000-memory.dmp