Malware Analysis Report

2025-01-03 05:03

Sample ID 231231-hd5vcsadd5
Target 2becacc54640ee85368060f50cdf970c
SHA256 fffa9ead850e0fcaf571a59b808bf2b2d25b465be4d7300b3f828c63ac779259
Tags
bitrat zgrat persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fffa9ead850e0fcaf571a59b808bf2b2d25b465be4d7300b3f828c63ac779259

Threat Level: Known bad

The file 2becacc54640ee85368060f50cdf970c was found to be: Known bad.

Malicious Activity Summary

bitrat zgrat persistence rat trojan upx

ZGRat

Modifies WinLogon for persistence

Detect ZGRat V1

BitRAT

UPX packed file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 06:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 06:38

Reported

2024-01-05 19:45

Platform

win7-20231215-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe"

Signatures

BitRAT

trojan bitrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\JavaUpdate\\JavaUpdate.exe\"," C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe N/A

ZGRat

rat zgrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2512 set thread context of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Windows\SysWOW64\WScript.exe
PID 2512 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Windows\SysWOW64\WScript.exe
PID 2512 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Windows\SysWOW64\WScript.exe
PID 2512 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Windows\SysWOW64\WScript.exe
PID 2512 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2512 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2512 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2512 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2512 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2512 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2512 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2512 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2512 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2512 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 532 wrote to memory of 1916 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 532 wrote to memory of 1916 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 532 wrote to memory of 1916 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 532 wrote to memory of 1916 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe

"C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Enobllqetjhztazrykyqe.vbs"

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\JavaUpdate\JavaUpdate.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 dontreachme.duckdns.org udp
DE 46.142.89.10:1337 dontreachme.duckdns.org tcp
DE 46.142.89.10:1337 dontreachme.duckdns.org tcp
DE 46.142.89.10:1337 dontreachme.duckdns.org tcp
DE 46.142.89.10:1337 dontreachme.duckdns.org tcp
US 8.8.8.8:53 dontreachme.duckdns.org udp
DE 46.142.89.10:1337 dontreachme.duckdns.org tcp
DE 46.142.89.10:1337 dontreachme.duckdns.org tcp

Files

memory/2512-1-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/2512-0-0x0000000000E50000-0x0000000001010000-memory.dmp

memory/2512-2-0x0000000004E40000-0x0000000004E80000-memory.dmp

memory/2512-3-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/2512-4-0x0000000005CD0000-0x0000000005E80000-memory.dmp

memory/2512-5-0x0000000004E40000-0x0000000004E80000-memory.dmp

memory/2512-6-0x0000000000850000-0x00000000008C8000-memory.dmp

memory/2512-8-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-10-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-7-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-12-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-14-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-16-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-18-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-20-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-30-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-46-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-50-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-54-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-52-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-56-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-58-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-60-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-70-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-68-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-66-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-64-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-62-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-48-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-44-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-42-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-40-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-38-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-36-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-34-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-32-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-28-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-26-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-24-0x0000000000850000-0x00000000008C1000-memory.dmp

memory/2512-22-0x0000000000850000-0x00000000008C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Enobllqetjhztazrykyqe.vbs

MD5 75fda8189e60e05655aea55fe68591c0
SHA1 de2177e12403c59f81d278497a387089ddd10d73
SHA256 cf8322af201e7b0f5d5b2b93c0df541c8785436ebdf04a32addc46b13caf81c5
SHA512 1bc581cbe6ba2f7f9a419bdb9b582ec5585d5cdfd8e245cab19c269d2bd4ecbc151cd98996b8d5f330304fda243c4a13388f1c601111dbab59fd0ad35e5ea647

\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/2512-2422-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/2252-2426-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1916-2429-0x0000000073EF0000-0x000000007449B000-memory.dmp

memory/1916-2430-0x0000000073EF0000-0x000000007449B000-memory.dmp

memory/1916-2431-0x00000000003F0000-0x0000000000430000-memory.dmp

memory/1916-2432-0x00000000003F0000-0x0000000000430000-memory.dmp

memory/1916-2433-0x0000000073EF0000-0x000000007449B000-memory.dmp

memory/2252-2444-0x0000000000400000-0x00000000007E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 06:38

Reported

2024-01-05 19:45

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\JavaUpdate\\JavaUpdate.exe\"," C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe N/A

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4716 set thread context of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4716 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Windows\SysWOW64\WScript.exe
PID 4716 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Windows\SysWOW64\WScript.exe
PID 4716 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Windows\SysWOW64\WScript.exe
PID 4716 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4716 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4716 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4716 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4716 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4716 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 4716 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 3832 wrote to memory of 5016 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3832 wrote to memory of 5016 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3832 wrote to memory of 5016 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe

"C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Enobllqetjhztazrykyqe.vbs"

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\JavaUpdate\JavaUpdate.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 67.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 dontreachme.duckdns.org udp
DE 46.142.89.10:1337 dontreachme.duckdns.org tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
DE 46.142.89.10:1337 dontreachme.duckdns.org tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
DE 46.142.89.10:1337 dontreachme.duckdns.org tcp
US 8.8.8.8:53 74.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 185.13.222.173.in-addr.arpa udp
DE 46.142.89.10:1337 dontreachme.duckdns.org tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 71.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 dontreachme.duckdns.org udp
DE 46.142.89.10:1337 dontreachme.duckdns.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 46.142.89.10:1337 dontreachme.duckdns.org tcp
DE 46.142.89.10:1337 dontreachme.duckdns.org tcp
US 8.8.8.8:53 udp

Files

memory/4716-0-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/4716-1-0x0000000000D90000-0x0000000000F50000-memory.dmp

memory/4716-2-0x0000000005F70000-0x0000000006514000-memory.dmp

memory/4716-3-0x00000000059C0000-0x0000000005A52000-memory.dmp

memory/4716-4-0x0000000005C10000-0x0000000005C20000-memory.dmp

memory/4716-5-0x0000000005940000-0x000000000594A000-memory.dmp

memory/4716-6-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/4716-7-0x0000000006C90000-0x0000000006E40000-memory.dmp

memory/4716-8-0x0000000007750000-0x00000000077C8000-memory.dmp

memory/4716-14-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-22-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-20-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-44-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-66-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-72-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-70-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-68-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-64-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-62-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-60-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-58-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-56-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-54-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-52-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-50-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-48-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-46-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-42-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-40-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-38-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-36-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-34-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-32-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-30-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-28-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-26-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-24-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-18-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-16-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-12-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-10-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-9-0x0000000007750000-0x00000000077C1000-memory.dmp

memory/4716-1015-0x0000000005C10000-0x0000000005C20000-memory.dmp

memory/4716-2415-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/5016-2420-0x0000000002400000-0x0000000002436000-memory.dmp

memory/5016-2423-0x0000000004930000-0x0000000004940000-memory.dmp

memory/5016-2424-0x0000000004F70000-0x0000000005598000-memory.dmp

memory/5016-2427-0x0000000005680000-0x00000000056E6000-memory.dmp

memory/5016-2426-0x0000000005610000-0x0000000005676000-memory.dmp

memory/5016-2437-0x00000000058C0000-0x0000000005C14000-memory.dmp

memory/5016-2425-0x0000000004E70000-0x0000000004E92000-memory.dmp

memory/5016-2438-0x0000000005D00000-0x0000000005D1E000-memory.dmp

memory/5016-2439-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

memory/5016-2422-0x0000000004930000-0x0000000004940000-memory.dmp

memory/5016-2421-0x0000000074D80000-0x0000000075530000-memory.dmp

memory/5016-2452-0x0000000004930000-0x0000000004940000-memory.dmp

memory/5016-2455-0x0000000006F00000-0x0000000006FA3000-memory.dmp

memory/5016-2454-0x0000000006ED0000-0x0000000006EEE000-memory.dmp

memory/5016-2453-0x0000000004930000-0x0000000004940000-memory.dmp

memory/5016-2456-0x0000000007670000-0x0000000007CEA000-memory.dmp

memory/5016-2457-0x0000000007030000-0x000000000704A000-memory.dmp

memory/5016-2458-0x00000000070A0000-0x00000000070AA000-memory.dmp

memory/5016-2442-0x0000000070BC0000-0x0000000070C0C000-memory.dmp

memory/5016-2459-0x00000000072B0000-0x0000000007346000-memory.dmp

memory/5016-2441-0x0000000006C90000-0x0000000006CC2000-memory.dmp

memory/5016-2460-0x0000000007230000-0x0000000007241000-memory.dmp

memory/5016-2440-0x000000007F540000-0x000000007F550000-memory.dmp

memory/5016-2461-0x0000000007260000-0x000000000726E000-memory.dmp

memory/5016-2462-0x0000000007270000-0x0000000007284000-memory.dmp

memory/5016-2464-0x0000000007350000-0x0000000007358000-memory.dmp

memory/5016-2463-0x0000000007370000-0x000000000738A000-memory.dmp

memory/5016-2467-0x0000000074D80000-0x0000000075530000-memory.dmp

memory/1396-2469-0x0000000074C10000-0x0000000074C49000-memory.dmp

memory/1396-2477-0x0000000074FB0000-0x0000000074FE9000-memory.dmp

memory/1396-2480-0x0000000074FB0000-0x0000000074FE9000-memory.dmp

memory/1396-2483-0x0000000074FB0000-0x0000000074FE9000-memory.dmp

memory/1396-2494-0x0000000074FB0000-0x0000000074FE9000-memory.dmp

memory/1396-2497-0x0000000074FB0000-0x0000000074FE9000-memory.dmp

memory/1396-2500-0x0000000074FB0000-0x0000000074FE9000-memory.dmp

memory/1396-2503-0x0000000074FB0000-0x0000000074FE9000-memory.dmp