Malware Analysis Report

2024-10-19 10:36

Sample ID 230514-jfhchsbb42
Target 2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil
SHA256 8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e
Tags
evasion persistence ransomware sodinokibi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e

Threat Level: Known bad

The file 2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware sodinokibi

Sodinokibi family

Modifies Windows Firewall

Modifies extensions of user files

Enumerates connected drives

Adds Run key to start application

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-14 07:36

Signatures

Sodinokibi family

sodinokibi

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-14 07:36

Reported

2023-05-14 07:39

Platform

win7-20230220-en

Max time kernel

28s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-14 07:36

Reported

2023-05-14 07:39

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification \??\c:\users\admin\pictures\RenameExpand.tiff C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File renamed C:\Users\Admin\Pictures\RenameExpand.tiff => \??\c:\users\admin\pictures\RenameExpand.tiff.yq7er5k C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe" C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7usbmxic31.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\WaitInstall.cfg C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\ExportBlock.otf C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\UseCheckpoint.eprtx C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\RepairEdit.jpeg C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\UndoCompress.3gp2 C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File created \??\c:\program files (x86)\tmp C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\EditInstall.001 C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\ExitImport.M2TS C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\LimitConnect.eps C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\ReceiveSearch.vsw C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\RestoreUnpublish.pcx C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File created \??\c:\program files\yq7er5k-readme.txt C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\ConvertFromExpand.mhtml C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\MeasureComplete.WTV C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\MergeUse.ram C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\PushRead.mpg C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\RepairInstall.emf C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\UnpublishOptimize.mp3 C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\CheckpointConvertFrom.txt C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\ConvertAdd.search-ms C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\DebugCompare.vsdx C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\OutRestore.ram C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\ResolveResume.wps C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File created \??\c:\program files\tmp C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\BackupTest.clr C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\SendBackup.doc C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\SetCheckpoint.vbe C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\CompareUninstall.cfg C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\PingDisable.vdx C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\ImportExit.ram C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\InstallUnprotect.ADTS C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\LimitConfirm.M2T C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\RequestSelect.mp3 C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File created \??\c:\program files (x86)\yq7er5k-readme.txt C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\CopyUnpublish.raw C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
File opened for modification \??\c:\program files\WriteRename.png C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 40.77.2.164:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 13.69.109.130:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 withahmed.com udp
US 188.114.96.0:443 withahmed.com tcp
US 8.8.8.8:53 simulatebrain.com udp
US 8.8.8.8:53 villa-marrakesch.de udp
DE 138.201.193.58:443 villa-marrakesch.de tcp
US 8.8.8.8:53 higadograsoweb.com udp
US 8.8.8.8:53 minipara.com udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 58.193.201.138.in-addr.arpa udp
US 8.8.8.8:53 oldschoolfun.net udp
NL 185.220.205.181:443 oldschoolfun.net tcp
US 8.8.8.8:53 remcakram.com udp
US 72.52.178.23:443 remcakram.com tcp
US 8.8.8.8:53 181.205.220.185.in-addr.arpa udp
US 72.52.178.23:443 remcakram.com tcp
US 72.52.178.23:443 remcakram.com tcp
US 8.8.8.8:53 international-sound-awards.com udp
DE 217.160.0.46:443 international-sound-awards.com tcp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 xn--fnsterputssollentuna-39b.se udp
SE 93.188.2.51:443 xn--fnsterputssollentuna-39b.se tcp
US 8.8.8.8:53 46.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 hogahojder.se udp
US 172.67.147.24:443 hogahojder.se tcp
US 8.8.8.8:53 51.2.188.93.in-addr.arpa udp
US 8.8.8.8:53 echtveilig.nl udp
US 23.236.62.147:443 echtveilig.nl tcp
US 8.8.8.8:53 24.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 izzi360.com udp
FR 109.234.162.102:443 izzi360.com tcp
FR 109.234.162.102:443 izzi360.com tcp
US 8.8.8.8:53 147.62.236.23.in-addr.arpa udp
US 8.8.8.8:53 www.izzi360.com udp
FR 109.234.162.102:443 www.izzi360.com tcp
US 8.8.8.8:53 102.162.234.109.in-addr.arpa udp
US 8.8.8.8:53 slashdb.com udp
US 52.1.93.170:443 slashdb.com tcp
US 8.8.8.8:53 burkert-ideenreich.de udp
DE 188.40.2.8:443 burkert-ideenreich.de tcp
US 8.8.8.8:53 170.93.1.52.in-addr.arpa udp
US 8.8.8.8:53 ilso.net udp
US 8.8.8.8:53 cwsitservices.co.uk udp
GB 35.214.77.27:443 cwsitservices.co.uk tcp
US 8.8.8.8:53 8.2.40.188.in-addr.arpa udp
US 8.8.8.8:53 projetlyonturin.fr udp
FR 87.98.154.146:443 projetlyonturin.fr tcp
US 8.8.8.8:53 gonzalezfornes.es udp
DE 217.160.0.244:443 gonzalezfornes.es tcp
DE 217.160.0.244:443 gonzalezfornes.es tcp
DE 217.160.0.244:443 gonzalezfornes.es tcp
US 8.8.8.8:53 autopfand24.de udp
DE 87.230.46.46:443 autopfand24.de tcp
US 8.8.8.8:53 146.154.98.87.in-addr.arpa udp
US 8.8.8.8:53 244.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 fayrecreations.com udp
US 198.54.121.233:443 fayrecreations.com tcp
US 8.8.8.8:53 46.46.230.87.in-addr.arpa udp
US 8.8.8.8:53 vancouver-print.ca udp
US 24.38.41.117:443 vancouver-print.ca tcp
US 8.8.8.8:53 233.121.54.198.in-addr.arpa udp
US 8.8.8.8:53 minuteman.com udp
US 24.38.41.117:443 minuteman.com tcp
US 8.8.8.8:53 117.41.38.24.in-addr.arpa udp
US 8.8.8.8:53 pubweb.carnet.hr udp
HR 193.198.184.106:443 pubweb.carnet.hr tcp
US 8.8.8.8:53 beautychance.se udp
US 8.8.8.8:53 edv-live.de udp
DE 202.61.195.82:443 edv-live.de tcp
US 8.8.8.8:53 ikads.org udp
US 8.8.8.8:53 allure-cosmetics.at udp
US 8.8.8.8:53 106.184.198.193.in-addr.arpa udp
US 8.8.8.8:53 82.195.61.202.in-addr.arpa udp
DE 159.69.224.11:443 allure-cosmetics.at tcp
US 8.8.8.8:53 www.allure-cosmetics.at udp
DE 159.69.224.11:443 www.allure-cosmetics.at tcp
US 8.8.8.8:53 lmtprovisions.com udp
US 35.209.158.247:443 lmtprovisions.com tcp
US 8.8.8.8:53 11.224.69.159.in-addr.arpa udp
US 8.8.8.8:53 dublikator.com udp
UA 185.68.16.210:443 dublikator.com tcp
US 8.8.8.8:53 247.158.209.35.in-addr.arpa udp
US 8.8.8.8:53 candyhouseusa.com udp
DE 85.214.77.144:443 candyhouseusa.com tcp
US 8.8.8.8:53 210.16.68.185.in-addr.arpa udp
US 8.8.8.8:53 creamery201.com udp
IL 185.230.63.107:443 creamery201.com tcp
US 8.8.8.8:53 handi-jack-llc.com udp
US 204.11.56.48:443 handi-jack-llc.com tcp
US 8.8.8.8:53 107.63.230.185.in-addr.arpa udp
US 8.8.8.8:53 baustb.de udp
DE 85.13.164.99:443 baustb.de tcp
US 8.8.8.8:53 admos-gleitlager.de udp
DE 81.169.145.149:443 admos-gleitlager.de tcp
US 8.8.8.8:53 99.164.13.85.in-addr.arpa udp
US 8.8.8.8:53 48.56.11.204.in-addr.arpa udp
US 8.8.8.8:53 149.145.169.81.in-addr.arpa udp

Files

C:\Recovery\yq7er5k-readme.txt

MD5 77bd641d5387d1314588c0d6baaeb97c
SHA1 b15f7cb2bbb932aa012a567a567759828fa7f29d
SHA256 6cf68f8b51f872d45cfc24923bab9b18e4e25975c4500706244aacaf06cc93be
SHA512 a15b3a850ce199b24225025f362be4ca5e92f74de03684a279751bc47df75e129a06937fb4cb83c4d6b42f36be17b1f2165ade4f399d7ecd74d304e8eea0b038