Analysis Overview
SHA256
9d898d6795f3d5cab2fbdb217d24d7504d7da4e67c7ed41e9c1468e49f96de00
Threat Level: Known bad
The file 2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry was found to be: Known bad.
Malicious Activity Summary
Chaos Ransomware
Chaos family
Chaos
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Checks computer location settings
Drops desktop.ini file(s)
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-26 15:30
Signatures
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Chaos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-26 15:30
Reported
2024-09-26 15:33
Platform
win7-20240704-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Enumerates physical storage devices
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2732 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 2732 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 2732 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 2708 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2708 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2708 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
Network
Files
memory/2732-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp
memory/2732-1-0x0000000000920000-0x000000000092C000-memory.dmp
memory/2732-2-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | a1a903c5a6cb70282502e31c0a5baab7 |
| SHA1 | 0a452c52690ed627a3f072d372454b3e8f6ce73a |
| SHA256 | 9d898d6795f3d5cab2fbdb217d24d7504d7da4e67c7ed41e9c1468e49f96de00 |
| SHA512 | f8b48b0a04f8bbf6f9a63999ad1ded375ace71bb432c18f421c5832ccf65984bab876af4220212a40e45596c9f3fdcc0c5ef8a0facf4a401a54617c7cda53559 |
memory/2708-8-0x0000000000270000-0x000000000027C000-memory.dmp
C:\Users\Admin\Desktop\read_it.txt
| MD5 | f3467a18bc9bff5d1fa6fde886434b25 |
| SHA1 | a99e70caecf250cbb3b99407225305dd13a5c397 |
| SHA256 | 214e91de820244192eba3647e738b19807fd67cdb7c63cabbcdc17c8de03e783 |
| SHA512 | cdd9b1f4037e8e2f111b0331666dfdcf33a7a86c075b548148608e2c6410eda510afe4817b3375b0d6acb0e923c9e54b359226d538f8b74db921eac70b8fe840 |
memory/2708-18-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
memory/2708-83-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
memory/2708-84-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-26 15:30
Reported
2024-09-26 15:33
Platform
win10v2004-20240802-en
Max time kernel
97s
Max time network
141s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4700 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 4700 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 2580 wrote to memory of 856 | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2580 wrote to memory of 856 | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-26_a1a903c5a6cb70282502e31c0a5baab7_destroyer_wannacry.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4700-0-0x00007FFD8BFE3000-0x00007FFD8BFE5000-memory.dmp
memory/4700-1-0x0000000000710000-0x000000000071C000-memory.dmp
memory/4700-2-0x00007FFD8BFE3000-0x00007FFD8BFE5000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | a1a903c5a6cb70282502e31c0a5baab7 |
| SHA1 | 0a452c52690ed627a3f072d372454b3e8f6ce73a |
| SHA256 | 9d898d6795f3d5cab2fbdb217d24d7504d7da4e67c7ed41e9c1468e49f96de00 |
| SHA512 | f8b48b0a04f8bbf6f9a63999ad1ded375ace71bb432c18f421c5832ccf65984bab876af4220212a40e45596c9f3fdcc0c5ef8a0facf4a401a54617c7cda53559 |
memory/2580-15-0x00007FFD8BFE0000-0x00007FFD8CAA1000-memory.dmp
C:\Users\Admin\Desktop\read_it.txt
| MD5 | f3467a18bc9bff5d1fa6fde886434b25 |
| SHA1 | a99e70caecf250cbb3b99407225305dd13a5c397 |
| SHA256 | 214e91de820244192eba3647e738b19807fd67cdb7c63cabbcdc17c8de03e783 |
| SHA512 | cdd9b1f4037e8e2f111b0331666dfdcf33a7a86c075b548148608e2c6410eda510afe4817b3375b0d6acb0e923c9e54b359226d538f8b74db921eac70b8fe840 |
memory/2580-69-0x00007FFD8BFE0000-0x00007FFD8CAA1000-memory.dmp