Malware Analysis Report

2024-10-23 21:47

Sample ID 240312-qhvh7abg29
Target BF-TL-605877001.exe
SHA256 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457
Tags
agenttesla purelogstealer zgrat keylogger persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457

Threat Level: Known bad

The file BF-TL-605877001.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla purelogstealer zgrat keylogger persistence rat spyware stealer trojan

PureLog Stealer payload

ZGRat

AgentTesla

PureLog Stealer

Detect ZGRat V1

Downloads MZ/PE file

Reads data files stored by FTP clients

Executes dropped EXE

Reads WinSCP keys stored on the system

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-12 13:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 13:16

Reported

2024-03-12 13:18

Platform

win7-20240221-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe

"C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 firstbaptiststjoe.org udp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp

Files

memory/2036-1-0x0000000074950000-0x000000007503E000-memory.dmp

memory/2036-0-0x0000000001220000-0x000000000129C000-memory.dmp

memory/2036-2-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/2036-3-0x0000000000290000-0x000000000029A000-memory.dmp

memory/2036-4-0x0000000074950000-0x000000007503E000-memory.dmp

memory/2036-5-0x00000000010B0000-0x00000000010F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 13:16

Reported

2024-03-12 13:18

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fel.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozhvdskglxw = "C:\\Users\\Admin\\AppData\\Roaming\\Ozhvdskglxw.exe" C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1208 set thread context of 3640 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fel.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\fel.exe
PID 1208 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\fel.exe
PID 1208 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\fel.exe
PID 1208 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 1208 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
PID 2900 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\fel.exe C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe
PID 2900 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\fel.exe C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe
PID 2900 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\fel.exe C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe

"C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe"

C:\Users\Admin\AppData\Local\Temp\fel.exe

"C:\Users\Admin\AppData\Local\Temp\fel.exe"

C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe

C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe

C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe

C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe

C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe

C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe

C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe

C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe

C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 firstbaptiststjoe.org udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 154.252.215.44.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 66.29.151.236:587 tcp
US 8.8.8.8:53 236.151.29.66.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

memory/1208-0-0x0000000000090000-0x000000000010C000-memory.dmp

memory/1208-1-0x0000000074FB0000-0x0000000075760000-memory.dmp

memory/1208-2-0x0000000002440000-0x0000000002450000-memory.dmp

memory/1208-3-0x0000000002400000-0x000000000240A000-memory.dmp

memory/1208-4-0x00000000055B0000-0x00000000057B0000-memory.dmp

memory/1208-5-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-6-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-8-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-10-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-12-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-14-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-16-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-18-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-20-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-22-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-24-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-26-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-28-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-30-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-32-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-34-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-36-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-38-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-40-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-42-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-44-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-46-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-48-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-50-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-52-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-54-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-56-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-58-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-60-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-62-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-64-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-66-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-68-0x00000000055B0000-0x00000000057AB000-memory.dmp

memory/1208-305-0x0000000074FB0000-0x0000000075760000-memory.dmp

memory/1208-4782-0x0000000000630000-0x0000000000631000-memory.dmp

memory/1208-4783-0x0000000000820000-0x0000000000868000-memory.dmp

memory/1208-4784-0x0000000000870000-0x00000000008BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fel.exe

MD5 b47c31e89b4cacc864b6279983b4ffc3
SHA1 b082036aa2adb45f2db952d8dcd200fe766cf3cf
SHA256 34109344250f9884f7414b7d31de4f6627d4378e0723446fa836b18b60e8ed84
SHA512 d4febd99d7a9c554aa091ba2a03508bfefcd27ae33f04920865b3802cddcdb1960001acbcb5fab8cf61dc7a1427158b432ffa1c47d377e9417377635a15c994e

memory/2900-4796-0x0000000000E70000-0x0000000000E80000-memory.dmp

memory/1208-4797-0x0000000006600000-0x0000000006BA4000-memory.dmp

memory/2900-4798-0x0000000074FB0000-0x0000000075760000-memory.dmp

memory/2900-4800-0x0000000005760000-0x0000000005770000-memory.dmp

memory/2900-4803-0x0000000003220000-0x0000000003226000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BF-TL-605877001.exe.log

MD5 c3941d9fa38f1717d5cecd7a2ca71667
SHA1 33b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256 f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA512 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45

memory/1208-4807-0x0000000074FB0000-0x0000000075760000-memory.dmp

memory/3640-4806-0x0000000074FB0000-0x0000000075760000-memory.dmp

memory/3640-4805-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3640-4808-0x0000000002E70000-0x0000000002E80000-memory.dmp

memory/3640-4809-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/3640-4810-0x0000000006E00000-0x0000000006E50000-memory.dmp

memory/3640-4811-0x0000000006EF0000-0x0000000006F8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe

MD5 3a44104fb5d035d1cd725732e94a5e8d
SHA1 cb3f89df88e1468bca9d5ca01d22588791884ecb
SHA256 dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08
SHA512 eebe4acc924ef0284d7303ae581d29e67f1f2c23042b3a42e37b3bccedc28d10e3370a4221a95dd07c6d930d5bfae606de3a954f625f13a0eedc2eca8921acc1

memory/3020-4824-0x0000000000BD0000-0x0000000000C4C000-memory.dmp

memory/3020-4826-0x0000000002E10000-0x0000000002E1A000-memory.dmp

memory/2900-4825-0x0000000074FB0000-0x0000000075760000-memory.dmp

memory/3020-4827-0x0000000074FB0000-0x0000000075760000-memory.dmp

memory/3020-4828-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/3640-4829-0x0000000006F90000-0x0000000007022000-memory.dmp

memory/3640-4830-0x0000000006E90000-0x0000000006E9A000-memory.dmp

memory/3640-4831-0x0000000074FB0000-0x0000000075760000-memory.dmp

memory/3640-4832-0x0000000002E70000-0x0000000002E80000-memory.dmp

memory/3020-4833-0x0000000005E60000-0x00000000060E6000-memory.dmp

memory/3020-5242-0x0000000074FB0000-0x0000000075760000-memory.dmp

memory/3020-5683-0x00000000055D0000-0x00000000055E0000-memory.dmp