Analysis Overview
SHA256
c293a4033debde88239a7dfbb5fdce91da96dafeccbeb785a7cf83c7aa769091
Threat Level: Known bad
The file malware_006F0000_dump_SCY.exe was found to be: Known bad.
Malicious Activity Summary
Sodinokibi/Revil sample
Sodin,Sodinokibi,REvil
Sodinokibi family
Reads user/profile data of web browsers
Checks computer location settings
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-14 14:16
Signatures
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-14 14:16
Reported
2024-12-14 14:22
Platform
win10ltsc2021-20241023-en
Max time kernel
294s
Max time network
300s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9j30r.bmp" | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\program files (x86)\115m82n89-readme.txt | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | \??\c:\program files\ExportPush.html | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | \??\c:\program files\ResetCheckpoint.asx | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | \??\c:\program files\UpdateLimit.i64 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | \??\c:\program files\MergeClear.doc | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File created | \??\c:\program files\d60dff40.lock | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File created | \??\c:\program files (x86)\d60dff40.lock | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | \??\c:\program files\CloseConnect.3gp | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | \??\c:\program files\MeasureReceive.xps | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | \??\c:\program files\SelectUnprotect.vssm | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | \??\c:\program files\StepSend.ADT | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | \??\c:\program files\UnlockResume.ttc | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File created | \??\c:\program files\115m82n89-readme.txt | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | \??\c:\program files\BlockComplete.vdx | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | \??\c:\program files\OptimizeMerge.wvx | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | \??\c:\program files\PushUnlock.wmv | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | \??\c:\program files\RestartCompare.csv | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | \??\c:\program files\ShowFormat.3g2 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | \??\c:\program files\UpdateMeasure.htm | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd076cb21a41edb1.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega80737.fon_604f84b5 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-hal_31bf3856ad364e35_10.0.19041.1151_none_1ff907b40ed3d811.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.3636_zh-cn_1b3ff13ffb36b744_msimsg.dll.mui_72e8994f | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_hu-hu_0f39d18194c80f6e.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..turalauthentication_31bf3856ad364e35_10.0.19041.4355_none_68751ba3549b68c3_naturalauth.dll_90858e23 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.19041.3636_none_3197c151b0cea75e.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_it-it_78c65fb1166338c9.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_46feaa68fea5a157.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_21ce86839bea8f66_mountmgr.sys.mui_71b54a25 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_79676005b94fbd75_ngcsvc.dll.mui_96312421 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fa84bcd97ed5458c.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ja-jp_d7c2226e3af6bdfe_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.19041.1266_none_123a7540f6f47a8e.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_es-es_f5275ef67022cea8_webclnt.dll.mui_e8f04040 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid_31bf3856ad364e35_10.0.19041.3636_none_d63851619bdc8237.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_en-us_817a537144a47828_gpapi.dll.mui_ef0a9748 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.4522_sl-si_dac7f661e4f2c4b4_bootmgr.efi.mui_be5d0075 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a5f5f155cd89b58d.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.19041.3636_fr-fr_02aa0aedd8675eff.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_de-de_7b16fe6b5fbc6858.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.4522_uk-ua_620e20bb50fb8d2f.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega80850.fon_6087927d | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.3636_fr-fr_5e3c59b5070de539.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base_31bf3856ad364e35_10.0.19041.1288_none_8d0a87531015fc57.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_et-ee_a27d02ab81dd8cd2.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-userenv_31bf3856ad364e35_10.0.19041.572_none_6e154087aa2e1290.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-ngc-ksp_31bf3856ad364e35_10.0.19041.4474_none_ea8fa7a3fd76526c.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.746_none_89198a92b881b1ac.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.3636_none_3bda11122dc1e8f2_msobjs.dll_052c8a60 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4ebe9cd18298b39c_services.exe.mui_86ea5e71 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.19041.4291_ja-jp_2b02486700ec447e_mpssvc.dll.mui_4b194b5f | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_sk-sk_6190581d530ffdab.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-system-user-service_31bf3856ad364e35_10.0.19041.1_none_4b9e016846baf755.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.3636_none_462ebb646222aaed_adtschema.dll_4cae41ac | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_zh-cn_d8daa629f412e9ec.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..e-microsoftjhenghei_31bf3856ad364e35_10.0.19041.1_none_1b31c6067f7278ae.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..type-microsoftyahei_31bf3856ad364e35_10.0.19041.3636_none_af6ad8f3e56dbecf.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_de-de_7c55a85dce912c86.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip-driver_31bf3856ad364e35_10.0.19041.4355_none_4cb2a57b6c68d0ae_fwpkclnt.sys_cbbab82c | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c376a8b1d6cb8357.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.19041.1023_none_167a0dedb3a3167c.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_f80c2ec488f97398.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msvcp110_31bf3856ad364e35_10.0.19041.3636_none_624de1c9266a8199.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d88727f57b0f135a.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.19041.4529_none_e0ca4ed1c74976b7_defaultquestions.json_ad0d8052 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_08c2373a33a21a40.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_e4acb32056072b0a.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.3636_it-it_cc3af1788395d3f5.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-gb_c3d871e478025c14_comctl32.dll.mui_0da4e682 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_10.0.19041.1_none_d228caa85018b41c.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-pshed_31bf3856ad364e35_10.0.19041.1_none_1c389b2600d2d78a_pshed.dll_f6ac239e | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rpc-local_31bf3856ad364e35_10.0.19041.1288_none_28c245a0fa440b78.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.19041.3636_en-us_6027380ae56e56f8.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-windowsuiimmersive_31bf3856ad364e35_10.0.19041.4355_none_a689f2ea89437567_windows.ui.immersive.dll.mun_6e49d10e | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.19041.3636_none_b8a60e95a159b2a2_fwremotesvr.dll_afaa5ea8 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.3636_none_2a0c80dc4367a318_atl.dll_0c7220db | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.3636_es-es_b6b2b8049ef06153_clipsvc.dll.mui_18823613 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-ndiswan_31bf3856ad364e35_10.0.19041.1151_none_6808a5d10c74690a.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\wow64_microsoft-windows-imm32_31bf3856ad364e35_10.0.19041.4474_none_db5c2fa2640c2a92_imm32.dll_53c2ab30 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_de-de_72a2c7869bb1e8b3.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_42d8e7001244e285.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_ja-jp_a59172735be4e7b4.manifest | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-csrss_31bf3856ad364e35_10.0.19041.3636_none_cd7b7a9b996a2282_csrss.exe_06529458 | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3016 wrote to memory of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3016 wrote to memory of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3016 wrote to memory of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe
"C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.254.1.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.11.108.188:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.108.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | craftingalegacy.com | udp |
| US | 50.87.137.113:443 | craftingalegacy.com | tcp |
| US | 8.8.8.8:53 | g2mediainc.com | udp |
| DE | 78.46.1.42:443 | g2mediainc.com | tcp |
| US | 8.8.8.8:53 | brinkdoepke.eu | udp |
| DE | 92.205.192.141:443 | brinkdoepke.eu | tcp |
| US | 8.8.8.8:53 | vipcarrental.ae | udp |
| US | 104.21.40.147:443 | vipcarrental.ae | tcp |
| US | 8.8.8.8:53 | 42.1.46.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.137.87.50.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.192.205.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.40.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | autoteamlast.de | udp |
| DE | 37.202.7.169:443 | autoteamlast.de | tcp |
| US | 8.8.8.8:53 | 169.7.202.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hostastay.com | udp |
| SG | 13.229.198.152:443 | hostastay.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gavelmasters.com | udp |
| US | 8.8.8.8:53 | ronaldhendriks.nl | udp |
| NL | 185.103.16.188:443 | ronaldhendriks.nl | tcp |
| US | 8.8.8.8:53 | successcolony.com.ng | udp |
| US | 8.8.8.8:53 | medicalsupportco.com | udp |
| US | 15.197.225.128:443 | medicalsupportco.com | tcp |
| US | 8.8.8.8:53 | kompresory-opravy.com | udp |
| SK | 37.9.175.133:443 | kompresory-opravy.com | tcp |
| US | 8.8.8.8:53 | 188.16.103.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.225.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sveneulberg.de | udp |
| DE | 89.110.179.179:443 | sveneulberg.de | tcp |
| US | 8.8.8.8:53 | www.sveneulberg.de | udp |
| DE | 89.110.179.179:443 | www.sveneulberg.de | tcp |
| US | 8.8.8.8:53 | 133.175.9.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oththukaruva.com | udp |
| US | 8.8.8.8:53 | voetbalhoogeveen.nl | udp |
| US | 8.8.8.8:53 | selected-minds.de | udp |
| DE | 217.160.0.92:443 | selected-minds.de | tcp |
| US | 8.8.8.8:53 | 179.179.110.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | log-barn.co.uk | udp |
| GB | 213.175.208.90:443 | log-barn.co.uk | tcp |
| US | 8.8.8.8:53 | 90.208.175.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fsbforsale.com | udp |
| US | 8.8.8.8:53 | jobkiwi.com.ng | udp |
| US | 8.8.8.8:53 | ivancacu.com | udp |
| DE | 217.160.0.237:443 | ivancacu.com | tcp |
| US | 8.8.8.8:53 | 11.in.ua | udp |
| UA | 91.225.81.9:443 | 11.in.ua | tcp |
| US | 8.8.8.8:53 | 237.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | irizar.com | udp |
| ES | 194.30.99.95:443 | irizar.com | tcp |
| US | 8.8.8.8:53 | 9.81.225.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.irizar.com | udp |
| ES | 194.30.99.95:443 | www.irizar.com | tcp |
| US | 8.8.8.8:53 | 95.99.30.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | colored-shelves.com | udp |
| US | 8.8.8.8:53 | soundseeing.net | udp |
| DE | 85.13.155.183:443 | soundseeing.net | tcp |
| US | 8.8.8.8:53 | scotlandsroute66.co.uk | udp |
| US | 172.67.204.127:443 | scotlandsroute66.co.uk | tcp |
| US | 8.8.8.8:53 | hawaiisteelbuilding.com | udp |
| US | 199.16.172.213:443 | hawaiisteelbuilding.com | tcp |
| US | 8.8.8.8:53 | 183.155.13.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.204.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mindfuelers.com | udp |
| US | 172.67.183.252:443 | mindfuelers.com | tcp |
| US | 8.8.8.8:53 | dentourage.com | udp |
| US | 8.8.8.8:53 | 252.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.172.16.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hekecrm.com | udp |
| CN | 38.14.23.10:443 | hekecrm.com | tcp |
| US | 8.8.8.8:53 | finsahome.co.uk | udp |
| DE | 217.160.0.87:443 | finsahome.co.uk | tcp |
| US | 8.8.8.8:53 | 87.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cormanmarketing.com | udp |
| US | 34.174.215.122:443 | cormanmarketing.com | tcp |
| US | 8.8.8.8:53 | morgansconsult.com | udp |
| GB | 35.214.25.158:443 | morgansconsult.com | tcp |
| US | 8.8.8.8:53 | 122.215.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dnqa.co.uk | udp |
| US | 107.178.223.183:443 | dnqa.co.uk | tcp |
| US | 8.8.8.8:53 | frimec-international.es | udp |
| US | 8.8.8.8:53 | 158.25.214.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| FR | 188.165.33.133:443 | frimec-international.es | tcp |
| US | 8.8.8.8:53 | www.frimec-international.es | udp |
| FR | 188.165.33.133:443 | www.frimec-international.es | tcp |
| US | 8.8.8.8:53 | worldproskitour.com | udp |
| US | 143.198.7.126:443 | worldproskitour.com | tcp |
| US | 8.8.8.8:53 | 133.33.165.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.7.198.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | csaballoons.com | udp |
| CA | 149.56.43.78:443 | csaballoons.com | tcp |
| US | 8.8.8.8:53 | 78.43.56.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krishnabrawijaya.com | udp |
| US | 8.8.8.8:53 | tatyanakopieva.ru | udp |
| RU | 77.222.40.195:443 | tatyanakopieva.ru | tcp |
| US | 8.8.8.8:53 | silkeight.com | udp |
| US | 8.8.8.8:53 | 195.40.222.77.in-addr.arpa | udp |
| RO | 188.213.19.166:443 | silkeight.com | tcp |
| US | 8.8.8.8:53 | 166.19.213.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | publicompserver.de | udp |
| DE | 195.3.195.201:443 | publicompserver.de | tcp |
| US | 8.8.8.8:53 | 201.195.3.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | letsstopsmoking.co.uk | udp |
| GB | 62.182.18.149:443 | letsstopsmoking.co.uk | tcp |
| US | 8.8.8.8:53 | 149.18.182.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | anleggsregisteret.no | udp |
| NO | 185.157.56.11:443 | anleggsregisteret.no | tcp |
| US | 8.8.8.8:53 | arearugcleaningnyc.com | udp |
| US | 8.8.8.8:53 | 11.56.157.185.in-addr.arpa | udp |
| US | 108.178.17.142:443 | arearugcleaningnyc.com | tcp |
| US | 8.8.8.8:53 | 142.17.178.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | diverfiestas.com.es | udp |
| FR | 176.31.163.21:443 | diverfiestas.com.es | tcp |
| US | 8.8.8.8:53 | lovcase.com | udp |
| US | 8.8.8.8:53 | alltagsrassismus-entknoten.de | udp |
| DE | 91.210.225.23:443 | alltagsrassismus-entknoten.de | tcp |
| US | 8.8.8.8:53 | 21.163.31.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.alltagsrassismus-entknoten.de | udp |
| DE | 91.210.225.23:443 | www.alltagsrassismus-entknoten.de | tcp |
| US | 8.8.8.8:53 | lassocrm.com | udp |
| US | 209.87.149.78:443 | lassocrm.com | tcp |
| US | 8.8.8.8:53 | 23.225.210.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | boyfriendsgoal.site | udp |
| US | 8.8.8.8:53 | mbuildinghomes.com | udp |
| US | 104.21.64.1:443 | mbuildinghomes.com | tcp |
| US | 8.8.8.8:53 | 78.149.87.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | santastoy.store | udp |
| US | 8.8.8.8:53 | citiscapes-art.com | udp |
| US | 172.67.201.110:443 | citiscapes-art.com | tcp |
| US | 8.8.8.8:53 | 1.64.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unislaw-narty.pl | udp |
| PL | 91.185.184.170:443 | unislaw-narty.pl | tcp |
| US | 8.8.8.8:53 | 110.201.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | envomask.com | udp |
| US | 172.81.116.97:443 | envomask.com | tcp |
| US | 8.8.8.8:53 | patassociation.com | udp |
| FR | 109.234.160.199:443 | patassociation.com | tcp |
| US | 8.8.8.8:53 | luvbec.com | udp |
| US | 8.8.8.8:53 | 199.160.234.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.116.81.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.184.185.91.in-addr.arpa | udp |
| US | 172.232.25.148:443 | luvbec.com | tcp |
| US | 8.8.8.8:53 | keuken-prijs.nl | udp |
| US | 8.8.8.8:53 | therapybusinessacademy.com | udp |
| DE | 217.160.0.95:443 | therapybusinessacademy.com | tcp |
| US | 8.8.8.8:53 | baikalflot.ru | udp |
| US | 8.8.8.8:53 | piestar.com | udp |
| US | 35.170.173.134:443 | piestar.com | tcp |
| US | 8.8.8.8:53 | 148.25.232.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.piestar.com | udp |
| US | 35.170.173.134:443 | www.piestar.com | tcp |
| US | 8.8.8.8:53 | 134.173.170.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | diakonie-weitramsdorf-sesslach.de | udp |
| DE | 78.46.133.97:443 | diakonie-weitramsdorf-sesslach.de | tcp |
| US | 8.8.8.8:53 | klapanvent.ru | udp |
| US | 8.8.8.8:53 | 97.133.46.78.in-addr.arpa | udp |
| RU | 77.222.40.14:443 | klapanvent.ru | tcp |
| US | 8.8.8.8:53 | fysiotherapierijnmond.nl | udp |
| NL | 178.128.138.113:443 | fysiotherapierijnmond.nl | tcp |
| US | 8.8.8.8:53 | www.fysiotherapierijnmond.nl | udp |
| NL | 178.128.138.113:443 | www.fysiotherapierijnmond.nl | tcp |
| US | 8.8.8.8:53 | 14.40.222.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.138.128.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avis.mantova.it | udp |
| IT | 217.64.195.176:443 | avis.mantova.it | tcp |
| US | 8.8.8.8:53 | 176.195.64.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fla.se | udp |
| SE | 91.201.63.7:443 | fla.se | tcp |
| US | 8.8.8.8:53 | sjtpo.org | udp |
| US | 65.60.10.226:443 | sjtpo.org | tcp |
| US | 8.8.8.8:53 | 7.63.201.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.10.60.65.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kroophold-sjaelland.dk | udp |
| DK | 178.20.216.245:443 | kroophold-sjaelland.dk | tcp |
| US | 8.8.8.8:53 | 245.216.20.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alharsunindo.com | udp |
| SG | 45.90.230.13:443 | alharsunindo.com | tcp |
| US | 8.8.8.8:53 | tothebackofthemoon.com | udp |
| US | 162.241.217.186:443 | tothebackofthemoon.com | tcp |
| US | 8.8.8.8:53 | 13.230.90.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.217.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chainofhopeeurope.eu | udp |
| FR | 51.15.159.75:443 | chainofhopeeurope.eu | tcp |
| US | 8.8.8.8:53 | smartmind.net | udp |
| ES | 82.98.154.79:443 | smartmind.net | tcp |
| US | 8.8.8.8:53 | 75.159.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.154.98.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | akcadagofis.com | udp |
| TR | 5.180.184.153:443 | akcadagofis.com | tcp |
| US | 8.8.8.8:53 | bundan.com | udp |
| NL | 35.214.211.239:443 | bundan.com | tcp |
| US | 8.8.8.8:53 | 153.184.180.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | graygreenbiomedservices.com | udp |
| US | 8.8.8.8:53 | dogsunlimitedguide.com | udp |
| US | 8.8.8.8:53 | rvside.com | udp |
| US | 104.21.44.61:443 | rvside.com | tcp |
| US | 8.8.8.8:53 | 239.211.214.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | davedavisphotos.com | udp |
| US | 8.8.8.8:53 | 61.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | johnstonmingmanning.com | udp |
| US | 162.159.137.54:443 | johnstonmingmanning.com | tcp |
| US | 8.8.8.8:53 | mangimirossana.it | udp |
| DE | 80.240.20.142:443 | mangimirossana.it | tcp |
| US | 8.8.8.8:53 | welovecustomers.fr | udp |
| FR | 51.15.236.35:443 | welovecustomers.fr | tcp |
| US | 8.8.8.8:53 | kenmccallum.com | udp |
| US | 104.21.76.147:443 | kenmccallum.com | tcp |
| US | 8.8.8.8:53 | glas-kuck.de | udp |
| DE | 51.195.6.20:443 | glas-kuck.de | tcp |
| US | 8.8.8.8:53 | 142.20.240.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.236.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.6.195.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | theboardroomafrica.com | udp |
| FR | 160.153.133.193:443 | theboardroomafrica.com | tcp |
| US | 8.8.8.8:53 | 193.133.153.160.in-addr.arpa | udp |
| US | 8.8.8.8:53 | slideevents.be | udp |
| DE | 94.237.96.23:443 | slideevents.be | tcp |
| US | 8.8.8.8:53 | omegamarbella.com | udp |
| NL | 35.214.249.33:443 | omegamarbella.com | tcp |
| US | 8.8.8.8:53 | zdrowieszczecin.pl | udp |
| US | 8.8.8.8:53 | 23.96.237.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.249.214.35.in-addr.arpa | udp |
| PL | 195.78.67.66:443 | zdrowieszczecin.pl | tcp |
| US | 8.8.8.8:53 | fotoslubna.com | udp |
| US | 8.8.8.8:53 | mursall.de | udp |
| DE | 95.130.22.108:443 | mursall.de | tcp |
| US | 8.8.8.8:53 | forextimes.ru | udp |
| RU | 37.228.89.36:443 | forextimes.ru | tcp |
| US | 8.8.8.8:53 | 108.22.130.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hiddensee-buhne11.de | udp |
| DE | 217.160.0.84:443 | hiddensee-buhne11.de | tcp |
| US | 8.8.8.8:53 | girlish.ae | udp |
| US | 8.8.8.8:53 | 84.0.160.217.in-addr.arpa | udp |
| US | 162.241.244.73:443 | girlish.ae | tcp |
| US | 8.8.8.8:53 | motocrosshideout.com | udp |
| US | 198.46.90.29:443 | motocrosshideout.com | tcp |
| US | 8.8.8.8:53 | 73.244.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | billyoart.com | udp |
| US | 104.18.127.49:443 | billyoart.com | tcp |
| US | 8.8.8.8:53 | eafx.pro | udp |
| US | 8.8.8.8:53 | patriotcleaning.net | udp |
| US | 138.197.111.104:443 | patriotcleaning.net | tcp |
| US | 8.8.8.8:53 | renehartman.nl | udp |
| NL | 213.154.226.66:443 | renehartman.nl | tcp |
| US | 8.8.8.8:53 | 29.90.46.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.127.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.111.197.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xn--80addfr4ahr.dp.ua | udp |
| US | 104.21.95.139:443 | xn--80addfr4ahr.dp.ua | tcp |
| US | 8.8.8.8:53 | 66.226.154.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | speakaudible.com | udp |
| US | 162.241.219.212:443 | speakaudible.com | tcp |
| US | 8.8.8.8:53 | magrinya.net | udp |
| DE | 217.160.0.18:443 | magrinya.net | tcp |
| US | 8.8.8.8:53 | 139.95.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.219.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | der-stempelking.de | udp |
| US | 8.8.8.8:53 | trivselsguide.dk | udp |
| US | 8.8.8.8:53 | mondolandscapes.com | udp |
| CA | 104.152.168.18:443 | mondolandscapes.com | tcp |
| US | 8.8.8.8:53 | 18.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.168.152.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nginx.com | udp |
| US | 159.60.134.0:443 | nginx.com | tcp |
| US | 8.8.8.8:53 | voice2biz.com | udp |
| US | 18.223.114.188:443 | voice2biz.com | tcp |
| US | 8.8.8.8:53 | 0.134.60.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hoteltantra.com | udp |
| FR | 149.202.147.248:443 | hoteltantra.com | tcp |
| US | 8.8.8.8:53 | casinodepositors.com | udp |
| US | 3.94.41.167:443 | casinodepositors.com | tcp |
| US | 8.8.8.8:53 | 248.147.202.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.114.223.18.in-addr.arpa | udp |
| US | 52.86.6.113:443 | casinodepositors.com | tcp |
| US | 8.8.8.8:53 | bakingismyyoga.com | udp |
| US | 3.33.152.147:443 | bakingismyyoga.com | tcp |
Files
memory/3016-0-0x0000000000120000-0x000000000014E000-memory.dmp
memory/3016-1-0x0000000000120000-0x000000000014E000-memory.dmp
C:\Users\115m82n89-readme.txt
| MD5 | 2f5dcd9c90d2cc87a7be59dffd7fef4e |
| SHA1 | 0e2fe6cb8a1c5dd343f347b67775b9f3f64608d7 |
| SHA256 | 87c15053af36a104b4adae60557e2089642cc0163987c86bb80d224677f69fa9 |
| SHA512 | f110ff4427d1ee1e31a8150cfba0c0222931cd60e757e779e7976762a13ce1328062d2dc0c183717b85c914cc6e8a4f27c1afe4bfc0de8c39ea0b986a247478d |
memory/3060-374-0x0000019089AB0000-0x0000019089AB1000-memory.dmp
memory/3060-375-0x0000019089AB0000-0x0000019089AB1000-memory.dmp
memory/3060-376-0x0000019089AB0000-0x0000019089AB1000-memory.dmp
memory/3060-380-0x0000019089AB0000-0x0000019089AB1000-memory.dmp
memory/3060-381-0x0000019089AB0000-0x0000019089AB1000-memory.dmp
memory/3060-386-0x0000019089AB0000-0x0000019089AB1000-memory.dmp
memory/3060-385-0x0000019089AB0000-0x0000019089AB1000-memory.dmp
memory/3060-384-0x0000019089AB0000-0x0000019089AB1000-memory.dmp
memory/3060-383-0x0000019089AB0000-0x0000019089AB1000-memory.dmp
memory/3060-382-0x0000019089AB0000-0x0000019089AB1000-memory.dmp