Malware Analysis Report

2025-01-18 04:19

Sample ID 240105-n3grqabbgq
Target 10bb8284965045b7c9bc442e5ce1f184.exe
SHA256 b19c884ff608ddcd01a1961791de3c8a4a058f7c17f23abec5a1aeb0ee2f44ff
Tags
quasar office04 spyware trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b19c884ff608ddcd01a1961791de3c8a4a058f7c17f23abec5a1aeb0ee2f44ff

Threat Level: Known bad

The file 10bb8284965045b7c9bc442e5ce1f184.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan persistence

Quasar payload

Quasar RAT

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-05 11:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 11:55

Reported

2024-01-05 12:03

Platform

win7-20231129-en

Max time kernel

8s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1748 set thread context of 2196 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 1748 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 1748 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 1748 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 1748 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 1748 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 1748 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 1748 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 1748 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 2196 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
PID 2196 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
PID 2196 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
PID 2196 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe

Processes

C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe

"C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe"

C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe

"C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Offline" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe"

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Offline" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/1748-0-0x0000000000BB0000-0x0000000000C62000-memory.dmp

memory/1748-1-0x0000000074680000-0x0000000074D6E000-memory.dmp

memory/1748-2-0x00000000049E0000-0x0000000004A20000-memory.dmp

memory/1748-3-0x0000000000310000-0x0000000000328000-memory.dmp

memory/2196-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2196-16-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2196-14-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2196-12-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2196-17-0x0000000074680000-0x0000000074D6E000-memory.dmp

memory/2196-18-0x0000000002410000-0x0000000002450000-memory.dmp

memory/2196-8-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2196-6-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2196-5-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2196-4-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe

MD5 d8ed600eb451d330548746c9739e746c
SHA1 ae0f39c9aa16fd25cef43c37479b3a9d11eaa0e4
SHA256 cfb46b74bc48dea2e2b738e45de8b5ad98aef3b2a4b5a956c69b0a6fb2ee9261
SHA512 c4ad630c7bfaf78411363b1611cc8d5109e6b130b9aedf958aa90faa17c69d85c03a46549de5b90ec61d440274e49dcc2d9b25a1a560ab143b7855b132630a13

memory/2196-27-0x0000000074680000-0x0000000074D6E000-memory.dmp

memory/2728-26-0x0000000074680000-0x0000000074D6E000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe

MD5 6406ed076f9cfd13d57fa6be66aa6443
SHA1 18e90e783f92db7df9ab614ae079b6f26654baf9
SHA256 e8f4849eca7d3272090a8c50228d60147d35cc36749749fe2b9ff3a60fb14233
SHA512 d995caaea5e521ce910b6c12c08cc1fabb25374ba45b685d5bf6685fe20276cb96da4b1b2451b15001defd3ea4e2b48e68500748d933399564068d4f8e0d37eb

memory/2728-25-0x0000000000A70000-0x0000000000B22000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe

MD5 8f8f887098f9ead151a095f7b314f03e
SHA1 e723d6aebc009785c72f78f572182f20198c0772
SHA256 2c4416df7a82c46fc1a69bf44bc82b8fb7524243532a013d78bd63d9aeab5fff
SHA512 ef050ce89fa682cdc3ca06e9e114127331ffff2001399ea6e2e575eeca42908d57e38b5704aed563d4987452ceef8838d37c759b3557bfbcf9dc42499a678395

memory/2728-28-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

memory/2512-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe

MD5 4199ceb863d4b3c11a31e34994a11a1a
SHA1 6f29c6923fa20c4df8f2303ad817a3e09cef3ed8
SHA256 cf223406d153ca86c3b2de3f5bd7518c0bc6c4760fbb6a8f4c82cb1f220a2fa7
SHA512 2b80823650b132f29b0e7edad5bd5a77a663645e1a0eee508b867e702c93e4bc94c9da74ffff83b5993f445adbf918c5cb7033011387905a8c7be673db64718e

memory/2512-41-0x0000000074680000-0x0000000074D6E000-memory.dmp

memory/1748-43-0x0000000074680000-0x0000000074D6E000-memory.dmp

memory/1748-44-0x00000000049E0000-0x0000000004A20000-memory.dmp

memory/2728-45-0x0000000074680000-0x0000000074D6E000-memory.dmp

memory/2728-46-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

memory/2512-47-0x0000000074680000-0x0000000074D6E000-memory.dmp

memory/2512-48-0x0000000004950000-0x0000000004990000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 11:55

Reported

2024-01-05 12:04

Platform

win10v2004-20231215-en

Max time kernel

155s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Offline = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Microsoft Offline.exe\"" C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 2100 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 2100 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 2100 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 2100 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 2100 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 2100 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 2100 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 2100 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 2100 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 2100 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe
PID 2116 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Windows\SysWOW64\schtasks.exe
PID 2116 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Windows\SysWOW64\schtasks.exe
PID 2116 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Windows\SysWOW64\schtasks.exe
PID 2116 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
PID 2116 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
PID 2116 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
PID 2344 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
PID 2344 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
PID 2344 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
PID 2344 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
PID 2344 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
PID 2344 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
PID 2344 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
PID 2344 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe
PID 2224 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe C:\Windows\SysWOW64\schtasks.exe
PID 2224 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe C:\Windows\SysWOW64\schtasks.exe
PID 2224 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe

"C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe"

C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe

"C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe"

C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe

"C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Offline" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\10bb8284965045b7c9bc442e5ce1f184.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe"

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Microsoft Offline" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp

Files

memory/2100-0-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/2100-1-0x0000000000540000-0x00000000005F2000-memory.dmp

memory/2100-2-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/2100-3-0x00000000050F0000-0x000000000518C000-memory.dmp

memory/2100-4-0x0000000005240000-0x0000000005250000-memory.dmp

memory/2100-5-0x0000000005A00000-0x0000000005FA4000-memory.dmp

memory/2100-6-0x0000000005090000-0x00000000050A8000-memory.dmp

memory/2116-7-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2116-8-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/2116-9-0x0000000005370000-0x0000000005402000-memory.dmp

memory/2116-10-0x0000000005330000-0x0000000005340000-memory.dmp

memory/2116-11-0x0000000005680000-0x00000000056E6000-memory.dmp

memory/2116-12-0x0000000006410000-0x0000000006422000-memory.dmp

memory/2100-13-0x0000000005240000-0x0000000005250000-memory.dmp

memory/2116-14-0x0000000006990000-0x00000000069CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Offline.exe

MD5 10bb8284965045b7c9bc442e5ce1f184
SHA1 0ca24ca1e8d2f4a9fecaea0134233781cb57e125
SHA256 b19c884ff608ddcd01a1961791de3c8a4a058f7c17f23abec5a1aeb0ee2f44ff
SHA512 9802721432375befb67b83122eb0d1260db698c2a74c7d0aff15ed3da5f433aff2d3fafa66369b997586a7b79740108fb923eaf9caee7032ff98a165aaebc87a

memory/2344-19-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/2344-20-0x0000000000330000-0x00000000003E2000-memory.dmp

memory/2116-22-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/2344-23-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

memory/2224-26-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/2224-27-0x0000000005240000-0x0000000005250000-memory.dmp

memory/2224-29-0x0000000006AE0000-0x0000000006AEA000-memory.dmp

memory/2344-30-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/2344-31-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

memory/2224-32-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/2224-33-0x0000000005240000-0x0000000005250000-memory.dmp