Malware Analysis Report

2024-12-07 22:44

Sample ID 240720-qdstsszbnl
Target crowdstrike-hotfix(1).zip
SHA256 d941acbebee5cadc37d5860d07e296eb2334b6f00e5ee1c5f4edf832511bc34e
Tags
remcos fudstub rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d941acbebee5cadc37d5860d07e296eb2334b6f00e5ee1c5f4edf832511bc34e

Threat Level: Known bad

The file crowdstrike-hotfix(1).zip was found to be: Known bad.

Malicious Activity Summary

remcos fudstub rat

Remcos

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-20 13:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-20 13:09

Reported

2024-07-20 20:31

Platform

win7-20240704-en

Max time kernel

1800s

Max time network

1788s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2280 set thread context of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
FR 213.5.130.58:443 tcp

Files

memory/2280-0-0x0000000073ED0000-0x0000000074044000-memory.dmp

memory/2280-1-0x0000000076DD0000-0x0000000076F79000-memory.dmp

memory/2280-12-0x0000000073EE2000-0x0000000073EE4000-memory.dmp

memory/2280-13-0x0000000073ED0000-0x0000000074044000-memory.dmp

memory/2280-14-0x0000000073ED0000-0x0000000074044000-memory.dmp

memory/2280-16-0x0000000000400000-0x000000000064B000-memory.dmp

memory/2280-22-0x0000000061E00000-0x0000000061ECA000-memory.dmp

memory/2556-25-0x0000000073ED0000-0x0000000074044000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3fd9d65e

MD5 93a4ad254e087866dd80f1d251915d78
SHA1 11da31511e0ec5ea0d3977d81b12546c9da2e0f6
SHA256 5566d99730c3c2fbc2afaadda7047ead225c3cd56c1bb0aa48ebf4cb26310862
SHA512 4dcc457966f09a62d098b03b67c40ab6b274bb6e41851713f9a6542514b76abf7ca9d3a762967ed3f677f66d44b4ff6f17b8e0678b975ba8cd5667441d5f49b1

memory/2280-23-0x0000000050310000-0x0000000050349000-memory.dmp

memory/2280-21-0x0000000057800000-0x0000000057812000-memory.dmp

memory/2280-20-0x0000000050120000-0x000000005030D000-memory.dmp

memory/2280-19-0x0000000057000000-0x000000005703F000-memory.dmp

memory/2280-18-0x0000000059800000-0x000000005986E000-memory.dmp

memory/2280-17-0x0000000050000000-0x0000000050116000-memory.dmp

memory/2556-26-0x0000000076DD0000-0x0000000076F79000-memory.dmp

memory/2556-71-0x0000000073ED0000-0x0000000074044000-memory.dmp

memory/2556-72-0x0000000073ED0000-0x0000000074044000-memory.dmp

memory/2556-74-0x0000000073ED0000-0x0000000074044000-memory.dmp

memory/1740-75-0x0000000076DD0000-0x0000000076F79000-memory.dmp

memory/1740-76-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-79-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-81-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-82-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-83-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-84-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-85-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-86-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-87-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-88-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-89-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-90-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-91-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-92-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-93-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-94-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-95-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-96-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-97-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-98-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-99-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-100-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-102-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-103-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-104-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-106-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-108-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-109-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-110-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-111-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-112-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-113-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-114-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-115-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-116-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-117-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-118-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-119-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-120-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-121-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-122-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-123-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-124-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-125-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1740-126-0x0000000000400000-0x0000000000483000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-20 13:09

Reported

2024-07-20 20:31

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1780s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3104 set thread context of 3416 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
FR 213.5.130.58:443 tcp
US 8.8.8.8:53 58.130.5.213.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/3104-0-0x0000000072B60000-0x0000000072CDB000-memory.dmp

memory/3104-1-0x00007FFED7BA0000-0x00007FFED7D7B000-memory.dmp

memory/3104-12-0x0000000072B72000-0x0000000072B74000-memory.dmp

memory/3104-13-0x0000000072B60000-0x0000000072CDB000-memory.dmp

memory/3104-14-0x0000000072B60000-0x0000000072CDB000-memory.dmp

memory/3104-16-0x0000000000400000-0x000000000064B000-memory.dmp

memory/3416-24-0x0000000072B60000-0x0000000072CDB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bd356813

MD5 94b1e2e7fe605703c19b2781138034c3
SHA1 84e50a55327a09be4dbea7a6ae534bc902d07b7e
SHA256 0442811a1b67539e0a0e31022f732d585b4a729a6de4fa0c1f0a6fdcbe79257a
SHA512 2f851bc10ea2699fd650400fb4bf50a92571d8e7d2c0d219d46fa0874c9525f720d5de771b702ebcc3b35654ff92d26789502650ff9e954bd77076dd54a02727

memory/3104-23-0x0000000061E00000-0x0000000061ECA000-memory.dmp

memory/3104-22-0x0000000050310000-0x0000000050349000-memory.dmp

memory/3104-21-0x0000000050120000-0x000000005030D000-memory.dmp

memory/3104-20-0x0000000057800000-0x0000000057812000-memory.dmp

memory/3104-19-0x0000000057000000-0x000000005703F000-memory.dmp

memory/3104-18-0x0000000059800000-0x000000005986E000-memory.dmp

memory/3104-17-0x0000000050000000-0x0000000050116000-memory.dmp

memory/3416-26-0x00007FFED7BA0000-0x00007FFED7D7B000-memory.dmp

memory/3416-28-0x0000000072B60000-0x0000000072CDB000-memory.dmp

memory/3416-29-0x0000000072B60000-0x0000000072CDB000-memory.dmp

memory/3416-31-0x0000000072B60000-0x0000000072CDB000-memory.dmp

memory/2696-32-0x00007FFED7BA0000-0x00007FFED7D7B000-memory.dmp

memory/2696-33-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-35-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-37-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-38-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-39-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-40-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-41-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-42-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-43-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-44-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-45-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-46-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-47-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-48-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-49-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-50-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-51-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-52-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-53-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-54-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-55-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-56-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-67-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-69-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-70-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-71-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-74-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-77-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-78-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-79-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-81-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2696-82-0x0000000000400000-0x0000000000483000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-20 13:09

Reported

2024-07-20 20:32

Platform

win10v2004-20240709-en

Max time kernel

1799s

Max time network

1781s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4968 set thread context of 3272 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
FR 213.5.130.58:443 tcp
US 8.8.8.8:53 58.130.5.213.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/4968-0-0x0000000073FA0000-0x000000007411B000-memory.dmp

memory/4968-1-0x00007FF884FF0000-0x00007FF8851E5000-memory.dmp

memory/4968-12-0x0000000073FB2000-0x0000000073FB4000-memory.dmp

memory/4968-13-0x0000000073FA0000-0x000000007411B000-memory.dmp

memory/4968-14-0x0000000073FA0000-0x000000007411B000-memory.dmp

memory/4968-23-0x0000000061E00000-0x0000000061ECA000-memory.dmp

memory/4968-22-0x0000000050310000-0x0000000050349000-memory.dmp

memory/3272-24-0x0000000073FA0000-0x000000007411B000-memory.dmp

memory/4968-21-0x0000000050120000-0x000000005030D000-memory.dmp

memory/4968-20-0x0000000057800000-0x0000000057812000-memory.dmp

memory/4968-19-0x0000000050000000-0x0000000050116000-memory.dmp

memory/4968-18-0x0000000059800000-0x000000005986E000-memory.dmp

memory/4968-17-0x0000000057000000-0x000000005703F000-memory.dmp

memory/4968-16-0x0000000000400000-0x000000000064B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\596aebec

MD5 d336ae369f45f8461508cdb1459e180c
SHA1 5c04503b2b72984cae4db54b5ea7f9eaa9649190
SHA256 328fce3e2e726eceff313cb3619e1acaf675c91fb06a06337965d44c4bdaf26e
SHA512 e5918e7cac038ccc7dff9d7c25447cb5e52b54305befcc5a8b21a518c3cecb95eb0d97f35ea7883af998abb87d1a730e988691c51189d649de791275a213e302

memory/3272-26-0x00007FF884FF0000-0x00007FF8851E5000-memory.dmp

memory/3272-29-0x0000000073FA0000-0x000000007411B000-memory.dmp

memory/3272-28-0x0000000073FA0000-0x000000007411B000-memory.dmp

memory/3272-31-0x0000000073FA0000-0x000000007411B000-memory.dmp

memory/2700-32-0x00007FF884FF0000-0x00007FF8851E5000-memory.dmp

memory/2700-33-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-36-0x0000000000283000-0x000000000028B000-memory.dmp

memory/2700-37-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-39-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-40-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-41-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-42-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-43-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-44-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-45-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-46-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-47-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-48-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-49-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-50-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-51-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-53-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-54-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-55-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-56-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-57-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-59-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-60-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-61-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-62-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-63-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-64-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-75-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-79-0x0000000000C00000-0x0000000000C83000-memory.dmp

memory/2700-82-0x0000000000C00000-0x0000000000C83000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-20 13:09

Reported

2024-07-20 13:16

Platform

win11-20240709-en

Max time kernel

421s

Max time network

422s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5848 set thread context of 4248 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
FR 213.5.130.58:443 tcp
US 8.8.8.8:53 58.130.5.213.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/5848-0-0x0000000074120000-0x000000007429D000-memory.dmp

memory/5848-1-0x00007FFD2EF00000-0x00007FFD2F109000-memory.dmp

memory/5848-12-0x0000000074132000-0x0000000074134000-memory.dmp

memory/5848-13-0x0000000074120000-0x000000007429D000-memory.dmp

memory/5848-14-0x0000000074120000-0x000000007429D000-memory.dmp

memory/5848-22-0x0000000061E00000-0x0000000061ECA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f45dd40d

MD5 e677bc4258b90087c676f4aa15dfea63
SHA1 3321ea06efcce547921e99bc803978712a00ebe0
SHA256 72d802975b8b0c078c139859f2f924b1bf5dc3249cfeafa337631d53767bdc8c
SHA512 f63900d1d819cd56fb33c28c73bce0603dde8214c5817cf25ade7c4b53aa207cde865113fb2d876dd9906ad8a7389c1ea995f2429a7c62c67c7371672241b945

memory/4248-24-0x0000000074120000-0x000000007429D000-memory.dmp

memory/5848-23-0x0000000050310000-0x0000000050349000-memory.dmp

memory/5848-21-0x0000000050120000-0x000000005030D000-memory.dmp

memory/5848-20-0x0000000057800000-0x0000000057812000-memory.dmp

memory/5848-19-0x0000000057000000-0x000000005703F000-memory.dmp

memory/5848-18-0x0000000059800000-0x000000005986E000-memory.dmp

memory/5848-16-0x0000000000400000-0x000000000064B000-memory.dmp

memory/5848-17-0x0000000050000000-0x0000000050116000-memory.dmp

memory/4248-26-0x00007FFD2EF00000-0x00007FFD2F109000-memory.dmp

memory/4248-28-0x0000000074120000-0x000000007429D000-memory.dmp

memory/4248-29-0x0000000074120000-0x000000007429D000-memory.dmp

memory/4248-31-0x0000000074120000-0x000000007429D000-memory.dmp

memory/4100-32-0x00007FFD2EF00000-0x00007FFD2F109000-memory.dmp

memory/4100-33-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-36-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-38-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-39-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-40-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-41-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-42-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-43-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-44-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-45-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-50-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-51-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-52-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-56-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-57-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-58-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-59-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-60-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-63-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-64-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-68-0x00000000008E0000-0x0000000000963000-memory.dmp

memory/4100-71-0x00000000008E0000-0x0000000000963000-memory.dmp