Analysis Overview
SHA256
b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09
Threat Level: Known bad
The file b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe was found to be: Known bad.
Malicious Activity Summary
BlackNET Payload
Blacknet family
BlackNET
Contains code to disable Windows Defender
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-12 01:23
Signatures
BlackNET Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blacknet family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-12 01:23
Reported
2022-04-12 01:40
Platform
win7-20220331-en
Max time kernel
39s
Max time network
148s
Command Line
Signatures
BlackNET
BlackNET Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\Run\df7427b5e05183e625345c3c37ef31c0 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe" | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\Run\df7427b5e05183e625345c3c37ef31c0 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MyClient\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows\CurrentVersion\Run\df7427b5e05183e625345c3c37ef31c0 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MyClient\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchosts.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\svchosts.exe
"C:\Users\Admin\AppData\Local\Temp\svchosts.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | finalb.xyz | udp |
Files
memory/1484-54-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1484-55-0x0000000000BB0000-0x0000000000BB2000-memory.dmp
memory/1484-56-0x0000000000BB6000-0x0000000000BD5000-memory.dmp
memory/1484-57-0x0000000000BEC000-0x0000000000BEE000-memory.dmp
memory/1484-62-0x0000000000BF7000-0x0000000000BF9000-memory.dmp
memory/1484-61-0x0000000000BF5000-0x0000000000BF7000-memory.dmp
memory/1484-60-0x0000000000BF3000-0x0000000000BF5000-memory.dmp
memory/1484-59-0x0000000000BF1000-0x0000000000BF3000-memory.dmp
memory/1484-58-0x0000000000BEE000-0x0000000000BF0000-memory.dmp
memory/1484-63-0x0000000000BF9000-0x0000000000BFB000-memory.dmp
memory/1484-64-0x0000000000BFB000-0x0000000000BFD000-memory.dmp
memory/1484-66-0x0000000000C01000-0x0000000000C05000-memory.dmp
memory/1484-65-0x0000000000BFD000-0x0000000000C01000-memory.dmp
memory/1484-69-0x0000000000BDB000-0x0000000000BDF000-memory.dmp
memory/1484-68-0x0000000000BE4000-0x0000000000BE6000-memory.dmp
memory/1484-74-0x0000000000C0B000-0x0000000000C0F000-memory.dmp
memory/1484-73-0x0000000000C07000-0x0000000000C0B000-memory.dmp
memory/1484-72-0x0000000000C05000-0x0000000000C07000-memory.dmp
memory/1484-71-0x0000000000BF3000-0x0000000000BFA000-memory.dmp
memory/1484-70-0x0000000000BE8000-0x0000000000BEF000-memory.dmp
memory/1484-67-0x0000000000BE2000-0x0000000000BE5000-memory.dmp
memory/1484-75-0x0000000000C0F000-0x0000000000C13000-memory.dmp
memory/1484-76-0x0000000000C13000-0x0000000000C17000-memory.dmp
memory/1484-77-0x0000000000C17000-0x0000000000C1B000-memory.dmp
memory/1484-78-0x0000000000C1B000-0x0000000000C1F000-memory.dmp
memory/1484-79-0x000000001C659000-0x000000001C661000-memory.dmp
memory/1484-80-0x000000001C661000-0x000000001C669000-memory.dmp
memory/1484-81-0x000000001C669000-0x000000001C671000-memory.dmp
memory/1484-82-0x000000001C671000-0x000000001C681000-memory.dmp
memory/1484-83-0x000000001C681000-0x000000001C691000-memory.dmp
memory/1484-84-0x000000001C691000-0x000000001C6A1000-memory.dmp
memory/1484-85-0x000000001C6A1000-0x000000001C6B1000-memory.dmp
memory/1484-86-0x0000000000C1F000-0x0000000000C27000-memory.dmp
memory/1484-87-0x0000000000C27000-0x0000000000C30000-memory.dmp
memory/1484-88-0x000000001C640000-0x000000001C649000-memory.dmp
memory/1484-89-0x000000001C6B1000-0x000000001C6C1000-memory.dmp
memory/1484-90-0x000000001C649000-0x000000001C651000-memory.dmp
memory/1484-91-0x000000001C6C1000-0x000000001C6D1000-memory.dmp
memory/1484-92-0x000000001C651000-0x000000001C659000-memory.dmp
memory/1484-93-0x000000001C6D1000-0x000000001C6E1000-memory.dmp
memory/1512-94-0x0000000000000000-mapping.dmp
memory/1484-95-0x000000001C6E1000-0x000000001C6F1000-memory.dmp
memory/1512-98-0x0000000000890000-0x0000000000892000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1484-102-0x000000001FAC1000-0x000000001FAE1000-memory.dmp
memory/1484-104-0x000000001FB01000-0x000000001FB21000-memory.dmp
memory/1484-103-0x000000001FAE1000-0x000000001FB01000-memory.dmp
memory/1484-101-0x000000001FAA0000-0x000000001FAC1000-memory.dmp
memory/1484-100-0x000000001C711000-0x000000001C731000-memory.dmp
memory/1484-105-0x000000001FB21000-0x000000001FB41000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1484-99-0x000000001C6F1000-0x000000001C711000-memory.dmp
memory/1532-107-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\svchosts.exe
| MD5 | 89dd6e72358a669b7d6e2348307a7af7 |
| SHA1 | 0db348f3c6114a45d71f4d218e0e088b71c7bb0a |
| SHA256 | ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e |
| SHA512 | 93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b |
C:\Users\Admin\AppData\Local\Temp\svchosts.exe
| MD5 | 89dd6e72358a669b7d6e2348307a7af7 |
| SHA1 | 0db348f3c6114a45d71f4d218e0e088b71c7bb0a |
| SHA256 | ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e |
| SHA512 | 93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b |
memory/1512-106-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1532-110-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1484-111-0x000000001FB41000-0x000000001FB61000-memory.dmp
memory/1484-112-0x000000001FB61000-0x000000001FB81000-memory.dmp
memory/1512-113-0x0000000000896000-0x00000000008B5000-memory.dmp
memory/1532-114-0x00000000008F0000-0x00000000008F2000-memory.dmp
memory/1532-115-0x00000000008F6000-0x0000000000915000-memory.dmp
memory/1564-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1564-118-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1564-119-0x0000000000C16000-0x0000000000C35000-memory.dmp
memory/1932-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1932-122-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1932-123-0x00000000008F6000-0x0000000000915000-memory.dmp
memory/1104-124-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1104-127-0x0000000000AC0000-0x0000000000AC2000-memory.dmp
memory/1104-126-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1104-128-0x0000000000AC6000-0x0000000000AE5000-memory.dmp
memory/1512-129-0x00000000008CC000-0x00000000008CE000-memory.dmp
memory/1512-132-0x00000000008D1000-0x00000000008D3000-memory.dmp
memory/1512-133-0x00000000008D3000-0x00000000008D5000-memory.dmp
memory/1512-131-0x00000000008BB000-0x00000000008C7000-memory.dmp
memory/1512-134-0x00000000008D5000-0x00000000008D7000-memory.dmp
memory/1512-135-0x00000000008D7000-0x00000000008D9000-memory.dmp
memory/1512-130-0x00000000008CE000-0x00000000008D0000-memory.dmp
memory/1248-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1248-143-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/568-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/568-148-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/980-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/980-152-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1592-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1592-157-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/916-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/916-161-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/792-164-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/792-166-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1300-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1300-171-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1032-174-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1032-177-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1240-179-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1240-181-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1792-184-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1792-186-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/384-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/384-192-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1528-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1528-196-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/940-199-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/940-201-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1300-204-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1300-206-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/740-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/740-211-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1588-214-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1588-216-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/976-219-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/976-221-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1272-223-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1272-225-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
memory/1500-228-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1500-231-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
| MD5 | c4f79edc4498c5570495bb36fc942134 |
| SHA1 | 00046b588252502480e8e708a22d25ae1d9b05fa |
| SHA256 | b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09 |
| SHA512 | 07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef |
memory/1248-233-0x0000000000000000-mapping.dmp
memory/1248-235-0x000007FEF3380000-0x000007FEF4416000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-12 01:23
Reported
2022-04-12 01:41
Platform
win10v2004-20220331-en
Max time kernel
130s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4264 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | C:\Windows\system32\fondue.exe |
| PID 4264 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe | C:\Windows\system32\fondue.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"
C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
Network
| Country | Destination | Domain | Proto |
| FI | 62.115.252.112:80 | tcp | |
| RU | 23.196.236.89:80 | tcp | |
| FI | 62.115.252.112:80 | tcp | |
| IE | 20.190.159.72:443 | tcp | |
| US | 52.152.108.96:443 | tcp | |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 52.168.117.169:443 | tcp | |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| FI | 62.115.252.112:80 | tcp | |
| FI | 62.115.252.112:80 | tcp | |
| FI | 62.115.252.112:80 | tcp | |
| US | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| IE | 20.190.159.72:443 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| US | 8.253.208.120:60723 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:60701 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:63650 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:9119 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:39152 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:60378 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:20849 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:44419 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:17468 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:54251 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:43440 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:50954 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:18892 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:63409 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:5019 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:41637 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:55117 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:32597 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:43171 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:2128 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:18042 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:3550 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:41672 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:41048 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:37917 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:15372 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:10670 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:39238 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:22262 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:44157 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:30359 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:31197 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:10411 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:47579 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:54711 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:5299 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:61775 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:57770 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:24752 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:809 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:39374 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.120:44277 | ctldl.windowsupdate.com | tcp |
| US | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa | udp |
| US | 93.184.221.240:36320 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:2837 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:12535 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:31363 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:57096 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:23437 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:323 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:28224 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:6334 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:2226 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:17802 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:56711 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:6998 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:10936 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:3361 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:47741 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:10533 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:20932 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:17266 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:59444 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:9694 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:20928 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:6518 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:539 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:14518 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:35270 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:6334 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:50454 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:14182 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:22339 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:50344 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:35897 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:18005 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:44467 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:64968 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:44351 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:10831 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:18215 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:14701 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:13951 | ctldl.windowsupdate.com | tcp |
| US | 93.184.221.240:31204 | ctldl.windowsupdate.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
Files
memory/1616-124-0x0000000000000000-mapping.dmp