Malware Analysis Report

2024-09-22 14:39

Sample ID 220525-qwjnvaefbn
Target 067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b.zip
SHA256 a6998e84b935d69890ee8317d7bbd4e27c18f1e07abe6d0806384ea7fa13ce4a
Tags
maze ransomware spyware stealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6998e84b935d69890ee8317d7bbd4e27c18f1e07abe6d0806384ea7fa13ce4a

Threat Level: Known bad

The file 067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b.zip was found to be: Known bad.

Malicious Activity Summary

maze ransomware spyware stealer suricata trojan

Maze

suricata: ET MALWARE Maze/ID Ransomware Activity

Deletes shadow copies

Modifies extensions of user files

Reads user/profile data of web browsers

Drops startup file

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Program Files directory

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-05-25 13:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-25 13:36

Reported

2022-05-25 13:46

Platform

win7-20220414-en

Max time kernel

493s

Max time network

455s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wordupd.exe"

Signatures

Maze

trojan ransomware maze

suricata: ET MALWARE Maze/ID Ransomware Activity

suricata

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\PingInvoke.crw => C:\Users\Admin\Pictures\PingInvoke.crw.YXqFR0 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\StartInstall.crw => C:\Users\Admin\Pictures\StartInstall.crw.YXqFR0 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\UndoSync.crw => C:\Users\Admin\Pictures\UndoSync.crw.cSuYETk C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\DebugGet.crw => C:\Users\Admin\Pictures\DebugGet.crw.uzDo1 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8870099cba3b4973.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\ExitRename.xps C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\FormatReset.m1v C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\HideConvertFrom.ttc C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ResolveComplete.php C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\SearchResolve.wmv C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\PingProtect.docx C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\TestUnprotect.aiff C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\UnprotectExport.vdw C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\8870099cba3b4973.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\LockExit.dib C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\UnlockDeny.raw C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\8870099cba3b4973.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\AssertUnlock.cmd C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ConvertFromReset.midi C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\DenyPublish.mpeg3 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\InvokePop.htm C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\JoinRemove.vdx C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ReceiveEnable.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ResolveOpen.3gp2 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\StepSet.vbe C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\SwitchLimit.vssx C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\TestWatch.dwfx C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\UndoInstall.sql C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\8870099cba3b4973.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ConfirmShow.css C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\EnterConfirm.mp3 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\RestartConnect.rmi C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\SuspendDisconnect.vsdm C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files (x86)\8870099cba3b4973.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\8870099cba3b4973.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ConvertToHide.jfif C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\OutSelect.WTV C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\SubmitMeasure.vst C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\TestRestore.mpeg2 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ApproveDisable.dot C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\CompleteBlock.sql C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\wordupd.exe

"C:\Users\Admin\AppData\Local\Temp\wordupd.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\xsao\ec\..\..\Windows\lqq\ug\sjwm\..\..\..\system32\teg\cyc\kfd\..\..\..\wbem\jh\tbwth\w\..\..\..\wmic.exe" shadowcopy delete

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x1d0

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0xc8

Network

Country Destination Domain Proto
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.37:80 91.218.114.37 tcp
RU 91.218.114.37:80 91.218.114.37 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp

Files

memory/1464-54-0x0000000000230000-0x00000000002D1000-memory.dmp

memory/1464-55-0x00000000754A1000-0x00000000754A3000-memory.dmp

memory/1464-56-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1196-57-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-25 13:36

Reported

2022-05-25 13:46

Platform

win10v2004-20220414-en

Max time kernel

600s

Max time network

603s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wordupd.exe"

Signatures

Maze

trojan ransomware maze

suricata: ET MALWARE Maze/ID Ransomware Activity

suricata

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\UndoUpdate.tiff => C:\Users\Admin\Pictures\UndoUpdate.tiff.d8zv C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Users\Admin\Pictures\UseUnblock.tiff C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\WatchPing.crw => C:\Users\Admin\Pictures\WatchPing.crw.d8zv C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\BlockResume.crw => C:\Users\Admin\Pictures\BlockResume.crw.BYm2 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Users\Admin\Pictures\UndoUpdate.tiff C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\ReceiveInvoke.tif => C:\Users\Admin\Pictures\ReceiveInvoke.tif.q9Di C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendCompare.crw => C:\Users\Admin\Pictures\SuspendCompare.crw.q9Di C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\UseUnblock.tiff => C:\Users\Admin\Pictures\UseUnblock.tiff.d8zv C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Users\Admin\Pictures\AssertJoin.tiff C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\ConfirmTest.raw => C:\Users\Admin\Pictures\ConfirmTest.raw.BYm2 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\AssertJoin.tiff => C:\Users\Admin\Pictures\AssertJoin.tiff.BYm2 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectClose.raw => C:\Users\Admin\Pictures\UnprotectClose.raw.d8zv C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\CloseBackup.tif => C:\Users\Admin\Pictures\CloseBackup.tif.BYm2 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File renamed C:\Users\Admin\Pictures\CompleteUnprotect.png => C:\Users\Admin\Pictures\CompleteUnprotect.png.BYm2 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\89ba09ba7e010201.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\89ba09ba7e010201.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{0AF88682-368F-4686-83A6-D5E92A110729}.catalogItem C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{4EF9EFD2-CDEA-4408-B175-7D92A668238A}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5BA42EB9-661B-4478-B321-70599C7E94AD}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E88895AA-D8DF-46BF-AF14-1A1D68B05FC2}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NXQXXLFST89.dat C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{15B1774C-A2B8-499F-A26E-3683BC483FE9}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{61AC62B4-4B02-4CEE-BB32-CE661F25AB35}.catalogItem C:\Windows\System32\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\AddPop.AAC C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\BackupSubmit.ppt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\UninstallSync.jpeg C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\UpdateMeasure.dib C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\WriteClose.iso C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ConnectPop.xla C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\GrantConvertTo.mpp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\GrantEnable.ogg C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\MeasureMove.wma C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ResetDisable.rm C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\StepPush.mpv2 C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\89ba09ba7e010201.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ConvertImport.wdp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\DismountOut.tiff C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\FindUnlock.jpeg C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\OptimizeSearch.xml C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\PublishReceive.potx C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\CompressCompare.ppt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\GetExport.svg C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\InitializeConvertTo.ex_ C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\PublishResume.png C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\RequestRedo.mpg C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\UnpublishStep.vbs C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files (x86)\89ba09ba7e010201.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ResizeSubmit.3gpp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\SendReceive.tmp C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ShowEnter.pub C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\ExportUnblock.tif C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\StepMount.xlsx C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
File opened for modification C:\Program Files\TraceFormat.eprtx C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wordupd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4200 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\wordupd.exe C:\Windows\system32\wbem\wmic.exe
PID 4200 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\wordupd.exe C:\Windows\system32\wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\wordupd.exe

"C:\Users\Admin\AppData\Local\Temp\wordupd.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\inc\bhv\vtu\..\..\..\Windows\vqnpk\su\f\..\..\..\system32\ubt\r\f\..\..\..\wbem\fa\..\wmic.exe" shadowcopy delete

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x49c 0x2fc

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x49c 0x2fc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

Network

Country Destination Domain Proto
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.11:80 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 www.bing.com tcp
US 204.79.197.200:443 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.11:80 tcp
US 52.168.117.170:443 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.11:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.25:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.37:80 91.218.114.37 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.37:80 91.218.114.37 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 store-images.s-microsoft.com udp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
US 8.8.8.8:53 tsfe.trafficshaping.dsp.mp.microsoft.com udp
IE 20.54.110.119:443 tsfe.trafficshaping.dsp.mp.microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
IE 20.54.110.119:443 tsfe.trafficshaping.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 dl.delivery.mp.microsoft.com udp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 tlu.dl.delivery.mp.microsoft.com udp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 2.tlu.dl.delivery.mp.microsoft.com udp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 tlu.dl.delivery.mp.microsoft.com udp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 4.tlu.dl.delivery.mp.microsoft.com udp
NL 87.248.202.1:80 4.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 11.tlu.dl.delivery.mp.microsoft.com udp
US 93.184.221.240:80 11.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 dl.delivery.mp.microsoft.com udp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 tlu.dl.delivery.mp.microsoft.com udp
NL 104.110.191.148:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.148:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.148:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
SG 168.63.250.82:80 tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.33:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 dl.delivery.mp.microsoft.com udp
FR 2.22.147.91:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.91:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.91:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.91:80 dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 tlu.dl.delivery.mp.microsoft.com udp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.91:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.91:80 dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.91:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.91:80 dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
US 204.79.197.200:443 www.bing.com tcp
FR 2.22.147.91:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.91:80 dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.91:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.91:80 dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.91:80 dl.delivery.mp.microsoft.com tcp
FR 2.22.147.91:80 dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 tlu.dl.delivery.mp.microsoft.com udp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tlu.dl.delivery.mp.microsoft.com tcp
CH 23.10.249.33:80 tcp

Files

memory/4200-130-0x0000000000970000-0x0000000000A11000-memory.dmp

memory/4200-131-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2516-132-0x0000000000000000-mapping.dmp