Malware Analysis Report

2024-11-16 13:48

Sample ID 240629-asw7rszarr
Target dee45b3ad0c841d54049061df5775ec0.exe
SHA256 159e547225b9f035bf95279055d66810149fa93debea660766552008271e3e5c
Tags
stealc vidar discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

159e547225b9f035bf95279055d66810149fa93debea660766552008271e3e5c

Threat Level: Known bad

The file dee45b3ad0c841d54049061df5775ec0.exe was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery spyware stealer

Vidar

Detect Vidar Stealer

Stealc

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 00:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 00:29

Reported

2024-06-29 00:31

Platform

win7-20240611-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1656 set thread context of 912 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp
PID 1656 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp
PID 1656 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp
PID 1656 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp
PID 1656 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp
PID 1656 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp
PID 1656 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp
PID 1656 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp
PID 1656 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp
PID 912 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2872 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2872 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2872 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe

"C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe"

C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp

C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\kat15F1.tmp" & rd /s /q "C:\ProgramData\EHIDAKECFIEB" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
BE 104.68.92.92:443 steamcommunity.com tcp
FI 65.109.243.105:443 65.109.243.105 tcp
FI 65.109.243.105:443 65.109.243.105 tcp
FI 65.109.243.105:443 65.109.243.105 tcp
FI 65.109.243.105:443 65.109.243.105 tcp
FI 65.109.243.105:443 65.109.243.105 tcp
FI 65.109.243.105:443 65.109.243.105 tcp
FI 65.109.243.105:443 65.109.243.105 tcp
FI 65.109.243.105:443 65.109.243.105 tcp
FI 65.109.243.105:443 65.109.243.105 tcp
FI 65.109.243.105:443 tcp
FI 65.109.243.105:443 tcp
FI 65.109.243.105:443 tcp
FI 65.109.243.105:443 tcp
FI 65.109.243.105:443 tcp
FI 65.109.243.105:443 tcp
FI 65.109.243.105:443 65.109.243.105 tcp
FI 65.109.243.105:443 65.109.243.105 tcp
FI 65.109.243.105:443 65.109.243.105 tcp
FI 65.109.243.105:443 65.109.243.105 tcp
FI 65.109.243.105:443 65.109.243.105 tcp
FI 65.109.243.105:443 65.109.243.105 tcp
US 8.8.8.8:53 tea.arpdabl.org udp
DE 207.180.253.128:80 tea.arpdabl.org tcp

Files

memory/1656-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1656-1-0x0000000003270000-0x0000000003380000-memory.dmp

\Users\Admin\AppData\Local\Temp\kat15F1.tmp

MD5 66064dbdb70a5eb15ebf3bf65aba254b
SHA1 0284fd320f99f62aca800fb1251eff4c31ec4ed7
SHA256 6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795
SHA512 b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

memory/912-15-0x0000000000400000-0x0000000000648000-memory.dmp

memory/912-24-0x0000000000400000-0x0000000000648000-memory.dmp

memory/1656-21-0x0000000000400000-0x0000000000635000-memory.dmp

memory/912-19-0x0000000000400000-0x0000000000648000-memory.dmp

memory/912-17-0x0000000000400000-0x0000000000648000-memory.dmp

memory/912-11-0x0000000000400000-0x0000000000648000-memory.dmp

memory/912-9-0x0000000000400000-0x0000000000648000-memory.dmp

memory/912-13-0x0000000000400000-0x0000000000648000-memory.dmp

memory/912-23-0x0000000000400000-0x0000000000648000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab402E.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

memory/912-55-0x0000000000400000-0x0000000000648000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar45B1.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

memory/912-137-0x0000000000400000-0x0000000000648000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 694d8cad1ec9ccb15da95727ce1fd751
SHA1 9a3eaaeb1bf65e514fdb35d9456886d0e292be50
SHA256 5ce10526c822d58833bec30bb8396afaa63104a896806eb1e806692b1fbddc03
SHA512 63f8eda3ec4fa263787cb52ebaa3e28aa1fcc3b0f328e42017ace9f4c732dc3da98956b93ed890b304ada94ffa77d42521ac83eb936a0253046ceb90c150fa71

memory/912-170-0x0000000000400000-0x0000000000648000-memory.dmp

memory/912-173-0x000000001DBC0000-0x000000001DE1F000-memory.dmp

memory/912-181-0x0000000000400000-0x0000000000648000-memory.dmp

memory/912-189-0x0000000000400000-0x0000000000648000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 653df58168c88e0838b3d262c9018e29
SHA1 125378d4146f1b88c53c8b8c4d58a300e577a59f
SHA256 3bf415cf652a0ab96b5fcff11b2b00b761723f7842fae09eea47b03ddc564ead
SHA512 03ab3cc19c888a453e0d1b6fee9d3670aadb7f7eff6a8e2e098fb93f20bb6a260ca1a61a3afe65e5f285d757ea240c1be4cbfdcba2378571cfe2afd141f670f9

memory/912-229-0x0000000000400000-0x0000000000648000-memory.dmp

memory/912-362-0x0000000000400000-0x0000000000648000-memory.dmp

memory/912-379-0x0000000000400000-0x0000000000648000-memory.dmp

memory/912-380-0x0000000000400000-0x0000000000648000-memory.dmp

memory/912-397-0x0000000000400000-0x0000000000648000-memory.dmp

memory/912-430-0x0000000000400000-0x0000000000648000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 00:29

Reported

2024-06-29 00:31

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3532 set thread context of 4564 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp
PID 3532 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp
PID 3532 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp
PID 3532 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp
PID 3532 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp
PID 3532 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp
PID 3532 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp
PID 3532 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp
PID 4564 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp C:\Windows\SysWOW64\cmd.exe
PID 4564 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp C:\Windows\SysWOW64\cmd.exe
PID 4564 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 4056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 816 wrote to memory of 4056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 816 wrote to memory of 4056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe

"C:\Users\Admin\AppData\Local\Temp\dee45b3ad0c841d54049061df5775ec0.exe"

C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp

C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp" & rd /s /q "C:\ProgramData\JEHIIDGCFHIE" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
US 8.8.8.8:53 214.251.201.195.in-addr.arpa udp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
US 8.8.8.8:53 tea.arpdabl.org udp
DE 207.180.253.128:80 tea.arpdabl.org tcp
US 8.8.8.8:53 128.253.180.207.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 95.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3532-0-0x00000000007F0000-0x00000000007F1000-memory.dmp

memory/3532-1-0x0000000004080000-0x0000000004190000-memory.dmp

memory/4564-4-0x0000000000400000-0x0000000000648000-memory.dmp

memory/4564-8-0x0000000000400000-0x0000000000648000-memory.dmp

memory/3532-9-0x0000000000400000-0x0000000000635000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kat65AF.tmp

MD5 66064dbdb70a5eb15ebf3bf65aba254b
SHA1 0284fd320f99f62aca800fb1251eff4c31ec4ed7
SHA256 6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795
SHA512 b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

memory/4564-10-0x0000000000400000-0x0000000000648000-memory.dmp

memory/4564-22-0x0000000000400000-0x0000000000648000-memory.dmp

memory/4564-23-0x0000000000400000-0x0000000000648000-memory.dmp

memory/4564-24-0x0000000000400000-0x0000000000648000-memory.dmp

memory/4564-26-0x00000000226C0000-0x000000002291F000-memory.dmp

memory/4564-41-0x0000000000400000-0x0000000000648000-memory.dmp

memory/4564-42-0x0000000000400000-0x0000000000648000-memory.dmp

memory/4564-58-0x0000000000400000-0x0000000000648000-memory.dmp

memory/4564-59-0x0000000000400000-0x0000000000648000-memory.dmp

memory/4564-66-0x0000000000400000-0x0000000000648000-memory.dmp

memory/4564-71-0x0000000000400000-0x0000000000648000-memory.dmp

memory/4564-72-0x0000000000400000-0x0000000000648000-memory.dmp

memory/4564-75-0x0000000000400000-0x0000000000648000-memory.dmp