Malware Analysis Report

2025-01-18 04:38

Sample ID 230921-gx6qbsfg69
Target Reserva.ppam
SHA256 75479b0ad556893c17e01e28f68d369ed87844a5d6d984aa951169799a77799a
Tags
revengerat nyancatrevenge persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75479b0ad556893c17e01e28f68d369ed87844a5d6d984aa951169799a77799a

Threat Level: Known bad

The file Reserva.ppam was found to be: Known bad.

Malicious Activity Summary

revengerat nyancatrevenge persistence trojan

RevengeRAT

Process spawned unexpected child process

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-21 06:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-21 06:12

Reported

2023-09-21 06:14

Platform

win7-20230831-en

Max time kernel

144s

Max time network

163s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Reserva.ppam"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

RevengeRAT

trojan revengerat

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Public\document.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493450-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493457-5A91-11CF-8700-00AA0060263B} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493464-5A91-11CF-8700-00AA0060263B} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493472-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493497-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E554-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A72-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A75-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7B-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "UpBars" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A62-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A71-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493456-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347F-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493482-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493493-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493495-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F5-5A91-11CF-8700-00AA0060263B} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493472-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347E-5A91-11CF-8700-00AA0060263B}\ = "FillFormat" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493498-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DB-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E8-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493461-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493485-5A91-11CF-8700-00AA0060263B} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348D-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6B-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "HiLoLines" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6F-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E55A-4FF5-48F4-8215-5505F990966F} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493482-5A91-11CF-8700-00AA0060263B} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493484-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5E-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493481-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348A-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DF-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F6-5A91-11CF-8700-00AA0060263B} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A77-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346C-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C3-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D9-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DE-5A91-11CF-8700-00AA0060263B} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E55A-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493457-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493483-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C9-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A51-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "FileConverter" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A63-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E559-4FF5-48F4-8215-5505F990966F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493464-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493492-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493496-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F8-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A54-F07E-4CA4-AF6F-BEF486AA4E6F} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6C-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149345F-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493465-5A91-11CF-8700-00AA0060263B} C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347A-5A91-11CF-8700-00AA0060263B}\ = "ShapeRange" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347A-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A72-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493464-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D3-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A59-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6B-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A67-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "ErrorBars" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6C-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 2224 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 2956 wrote to memory of 2224 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 2956 wrote to memory of 2224 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 2956 wrote to memory of 2224 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 2956 wrote to memory of 2572 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2572 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2572 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2572 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2572 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2572 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2572 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2572 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\document.exe
PID 2572 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\document.exe
PID 2572 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\document.exe
PID 2572 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\document.exe
PID 2572 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\document.exe
PID 2572 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\document.exe
PID 2572 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\document.exe
PID 1956 wrote to memory of 1488 N/A C:\Users\Public\document.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 1956 wrote to memory of 1488 N/A C:\Users\Public\document.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 1956 wrote to memory of 1488 N/A C:\Users\Public\document.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 1956 wrote to memory of 1488 N/A C:\Users\Public\document.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 1956 wrote to memory of 1488 N/A C:\Users\Public\document.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 1956 wrote to memory of 1488 N/A C:\Users\Public\document.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 1956 wrote to memory of 1488 N/A C:\Users\Public\document.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 1488 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 1488 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 1488 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 1488 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 1488 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 1488 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 1488 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Reserva.ppam"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c ping 127.0.0.1 -n 10 > nul & start C:\Users\Public\document.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 10

C:\Users\Public\document.exe

C:\Users\Public\document.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.4sync.com udp
US 199.101.134.238:443 www.4sync.com tcp
US 8.8.8.8:53 dc438.4sync.com udp
US 199.101.133.66:443 dc438.4sync.com tcp
US 8.8.8.8:53 marcelotatuape.ddns.net udp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
US 8.8.8.8:53 marcelotatuape.ddns.net udp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
US 8.8.8.8:53 marcelotatuape.ddns.net udp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp

Files

memory/2956-0-0x000000002D0B1000-0x000000002D0B2000-memory.dmp

memory/2956-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2956-2-0x00000000725FD000-0x0000000072608000-memory.dmp

memory/2956-6-0x0000000004040000-0x0000000004140000-memory.dmp

memory/2956-8-0x0000000004040000-0x0000000004140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab850B.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar8675.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2956-51-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2956-52-0x00000000725FD000-0x0000000072608000-memory.dmp

\Users\Public\document.exe

MD5 1a0c416ea8f730cd505b29ebd010581a
SHA1 e5c3f3d1715d33093be176dcbebdaf5d0d3f7dbf
SHA256 72c0263a4311ce64fb92a44f12a4d25d6fc4265c6f5f9544f9bebf3475182a38
SHA512 a6626d623afde4c72827b8fe5b381138badd9403e0d11711cf774240ffddc394e2ba090d11eb410127d3e915ceed903cfd35dff6424248e78342e1d9c150a760

C:\Users\Public\document.exe

MD5 1a0c416ea8f730cd505b29ebd010581a
SHA1 e5c3f3d1715d33093be176dcbebdaf5d0d3f7dbf
SHA256 72c0263a4311ce64fb92a44f12a4d25d6fc4265c6f5f9544f9bebf3475182a38
SHA512 a6626d623afde4c72827b8fe5b381138badd9403e0d11711cf774240ffddc394e2ba090d11eb410127d3e915ceed903cfd35dff6424248e78342e1d9c150a760

C:\Users\Public\document.exe

MD5 1a0c416ea8f730cd505b29ebd010581a
SHA1 e5c3f3d1715d33093be176dcbebdaf5d0d3f7dbf
SHA256 72c0263a4311ce64fb92a44f12a4d25d6fc4265c6f5f9544f9bebf3475182a38
SHA512 a6626d623afde4c72827b8fe5b381138badd9403e0d11711cf774240ffddc394e2ba090d11eb410127d3e915ceed903cfd35dff6424248e78342e1d9c150a760

\Users\Public\document.exe

MD5 1a0c416ea8f730cd505b29ebd010581a
SHA1 e5c3f3d1715d33093be176dcbebdaf5d0d3f7dbf
SHA256 72c0263a4311ce64fb92a44f12a4d25d6fc4265c6f5f9544f9bebf3475182a38
SHA512 a6626d623afde4c72827b8fe5b381138badd9403e0d11711cf774240ffddc394e2ba090d11eb410127d3e915ceed903cfd35dff6424248e78342e1d9c150a760

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5 c3256800dce47c14acc83ccca4c3e2ac
SHA1 9d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256 f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA512 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5 c3256800dce47c14acc83ccca4c3e2ac
SHA1 9d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256 f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA512 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

MD5 3e7ecaeb51c2812d13b07ec852d74aaf
SHA1 e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256 e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512 635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

MD5 340b294efc691d1b20c64175d565ebc7
SHA1 81cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA256 72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA512 1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

MD5 ed9159af6fd4178a8c702a526e18a699
SHA1 b7d80f65dcacafcef144da5dca07db27fcf895d1
SHA256 c781445af5320c9a16bf8618d6ff0ca3d93de1c6ee1a1e76a028f81747e14504
SHA512 93a3ce35c2aecbcb83f236e34e9848f0ff89b05a6910c74818321d19ce71513667a68b5c0ea5215d4e0e06a4482aa2e973350a61054c1f17a28ce0f94bd1e3ca

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

MD5 68934a3e9455fa72420237eb05902327
SHA1 7cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256 fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512 719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 68e748ecf270084cb76a4711a0cd73c1
SHA1 49cc1b7e9e9eb33b4ffbc121011273ff34d944eb
SHA256 ad4d9ff7e21ec275259d9144081c6670dad190dac88321ef7b6fa6e792d4953f
SHA512 eace54eb826302c88d8db4b171c7e843f519340e20e271f60a4b6ed133f51163dddcae86a5a8bf4a9d480e81ba8245f7d1cd153a88d2c15a20200eaf013e5cd9

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 68e748ecf270084cb76a4711a0cd73c1
SHA1 49cc1b7e9e9eb33b4ffbc121011273ff34d944eb
SHA256 ad4d9ff7e21ec275259d9144081c6670dad190dac88321ef7b6fa6e792d4953f
SHA512 eace54eb826302c88d8db4b171c7e843f519340e20e271f60a4b6ed133f51163dddcae86a5a8bf4a9d480e81ba8245f7d1cd153a88d2c15a20200eaf013e5cd9

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 68e748ecf270084cb76a4711a0cd73c1
SHA1 49cc1b7e9e9eb33b4ffbc121011273ff34d944eb
SHA256 ad4d9ff7e21ec275259d9144081c6670dad190dac88321ef7b6fa6e792d4953f
SHA512 eace54eb826302c88d8db4b171c7e843f519340e20e271f60a4b6ed133f51163dddcae86a5a8bf4a9d480e81ba8245f7d1cd153a88d2c15a20200eaf013e5cd9

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 68e748ecf270084cb76a4711a0cd73c1
SHA1 49cc1b7e9e9eb33b4ffbc121011273ff34d944eb
SHA256 ad4d9ff7e21ec275259d9144081c6670dad190dac88321ef7b6fa6e792d4953f
SHA512 eace54eb826302c88d8db4b171c7e843f519340e20e271f60a4b6ed133f51163dddcae86a5a8bf4a9d480e81ba8245f7d1cd153a88d2c15a20200eaf013e5cd9

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 68e748ecf270084cb76a4711a0cd73c1
SHA1 49cc1b7e9e9eb33b4ffbc121011273ff34d944eb
SHA256 ad4d9ff7e21ec275259d9144081c6670dad190dac88321ef7b6fa6e792d4953f
SHA512 eace54eb826302c88d8db4b171c7e843f519340e20e271f60a4b6ed133f51163dddcae86a5a8bf4a9d480e81ba8245f7d1cd153a88d2c15a20200eaf013e5cd9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 68e748ecf270084cb76a4711a0cd73c1
SHA1 49cc1b7e9e9eb33b4ffbc121011273ff34d944eb
SHA256 ad4d9ff7e21ec275259d9144081c6670dad190dac88321ef7b6fa6e792d4953f
SHA512 eace54eb826302c88d8db4b171c7e843f519340e20e271f60a4b6ed133f51163dddcae86a5a8bf4a9d480e81ba8245f7d1cd153a88d2c15a20200eaf013e5cd9

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 68e748ecf270084cb76a4711a0cd73c1
SHA1 49cc1b7e9e9eb33b4ffbc121011273ff34d944eb
SHA256 ad4d9ff7e21ec275259d9144081c6670dad190dac88321ef7b6fa6e792d4953f
SHA512 eace54eb826302c88d8db4b171c7e843f519340e20e271f60a4b6ed133f51163dddcae86a5a8bf4a9d480e81ba8245f7d1cd153a88d2c15a20200eaf013e5cd9

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 68e748ecf270084cb76a4711a0cd73c1
SHA1 49cc1b7e9e9eb33b4ffbc121011273ff34d944eb
SHA256 ad4d9ff7e21ec275259d9144081c6670dad190dac88321ef7b6fa6e792d4953f
SHA512 eace54eb826302c88d8db4b171c7e843f519340e20e271f60a4b6ed133f51163dddcae86a5a8bf4a9d480e81ba8245f7d1cd153a88d2c15a20200eaf013e5cd9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 68e748ecf270084cb76a4711a0cd73c1
SHA1 49cc1b7e9e9eb33b4ffbc121011273ff34d944eb
SHA256 ad4d9ff7e21ec275259d9144081c6670dad190dac88321ef7b6fa6e792d4953f
SHA512 eace54eb826302c88d8db4b171c7e843f519340e20e271f60a4b6ed133f51163dddcae86a5a8bf4a9d480e81ba8245f7d1cd153a88d2c15a20200eaf013e5cd9

memory/2840-111-0x00000000735E0000-0x0000000073B8B000-memory.dmp

memory/2840-112-0x00000000735E0000-0x0000000073B8B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-21 06:12

Reported

2023-09-21 06:14

Platform

win10v2004-20230915-en

Max time kernel

18s

Max time network

75s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Reserva.ppam" /ou ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Reserva.ppam" /ou ""

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping 127.0.0.1 -n 10 > nul & start C:\Users\Public\document.exe

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 www.4sync.com udp
US 204.155.149.140:443 www.4sync.com tcp
US 8.8.8.8:53 140.149.155.204.in-addr.arpa udp
US 8.8.8.8:53 dc438.4sync.com udp
US 199.101.133.66:443 dc438.4sync.com tcp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 66.133.101.199.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/4376-0-0x00007FFCBF5D0000-0x00007FFCBF5E0000-memory.dmp

memory/4376-1-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-3-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-2-0x00007FFCBF5D0000-0x00007FFCBF5E0000-memory.dmp

memory/4376-5-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-6-0x00007FFCBF5D0000-0x00007FFCBF5E0000-memory.dmp

memory/4376-4-0x00007FFCBF5D0000-0x00007FFCBF5E0000-memory.dmp

memory/4376-7-0x00007FFCBF5D0000-0x00007FFCBF5E0000-memory.dmp

memory/4376-8-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-9-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-10-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-11-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-12-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-13-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-15-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-16-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-17-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-14-0x00007FFCBCDF0000-0x00007FFCBCE00000-memory.dmp

memory/4376-18-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-19-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-20-0x00007FFCBCDF0000-0x00007FFCBCE00000-memory.dmp

memory/4376-31-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-32-0x000001A58AE90000-0x000001A58BE60000-memory.dmp

memory/4376-33-0x000001A58AE90000-0x000001A58BE60000-memory.dmp

memory/4376-34-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-35-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-36-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-37-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-38-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-39-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-40-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-44-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-45-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-46-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-47-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-48-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-49-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-53-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-54-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-58-0x00007FFCFF550000-0x00007FFCFF745000-memory.dmp

memory/4376-64-0x000001A58AE90000-0x000001A58BE60000-memory.dmp

memory/4376-70-0x00007FFCBF5D0000-0x00007FFCBF5E0000-memory.dmp