Malware Analysis Report

2025-01-18 18:19

Sample ID 241214-rle4cawnfn
Target malware_006F0000_dump_SCY.exe
SHA256 c293a4033debde88239a7dfbb5fdce91da96dafeccbeb785a7cf83c7aa769091
Tags
5 367 sodinokibi discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c293a4033debde88239a7dfbb5fdce91da96dafeccbeb785a7cf83c7aa769091

Threat Level: Known bad

The file malware_006F0000_dump_SCY.exe was found to be: Known bad.

Malicious Activity Summary

5 367 sodinokibi discovery ransomware spyware stealer

Sodinokibi/Revil sample

Sodin,Sodinokibi,REvil

Sodinokibi family

Reads user/profile data of web browsers

Checks computer location settings

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-14 14:16

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-14 14:16

Reported

2024-12-14 14:22

Platform

win10ltsc2021-20241023-en

Max time kernel

294s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9j30r.bmp" C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\115m82n89-readme.txt C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification \??\c:\program files\ExportPush.html C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification \??\c:\program files\ResetCheckpoint.asx C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification \??\c:\program files\UpdateLimit.i64 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification \??\c:\program files\MergeClear.doc C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File created \??\c:\program files\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File created \??\c:\program files (x86)\d60dff40.lock C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification \??\c:\program files\CloseConnect.3gp C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification \??\c:\program files\MeasureReceive.xps C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification \??\c:\program files\SelectUnprotect.vssm C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification \??\c:\program files\StepSend.ADT C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification \??\c:\program files\UnlockResume.ttc C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File created \??\c:\program files\115m82n89-readme.txt C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification \??\c:\program files\BlockComplete.vdx C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification \??\c:\program files\OptimizeMerge.wvx C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification \??\c:\program files\PushUnlock.wmv C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification \??\c:\program files\RestartCompare.csv C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification \??\c:\program files\ShowFormat.3g2 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification \??\c:\program files\UpdateMeasure.htm C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd076cb21a41edb1.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega80737.fon_604f84b5 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-hal_31bf3856ad364e35_10.0.19041.1151_none_1ff907b40ed3d811.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.3636_zh-cn_1b3ff13ffb36b744_msimsg.dll.mui_72e8994f C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_hu-hu_0f39d18194c80f6e.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..turalauthentication_31bf3856ad364e35_10.0.19041.4355_none_68751ba3549b68c3_naturalauth.dll_90858e23 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.19041.3636_none_3197c151b0cea75e.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_it-it_78c65fb1166338c9.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_46feaa68fea5a157.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_21ce86839bea8f66_mountmgr.sys.mui_71b54a25 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_79676005b94fbd75_ngcsvc.dll.mui_96312421 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fa84bcd97ed5458c.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ja-jp_d7c2226e3af6bdfe_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.19041.1266_none_123a7540f6f47a8e.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_es-es_f5275ef67022cea8_webclnt.dll.mui_e8f04040 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid_31bf3856ad364e35_10.0.19041.3636_none_d63851619bdc8237.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_en-us_817a537144a47828_gpapi.dll.mui_ef0a9748 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.4522_sl-si_dac7f661e4f2c4b4_bootmgr.efi.mui_be5d0075 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a5f5f155cd89b58d.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.19041.3636_fr-fr_02aa0aedd8675eff.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_de-de_7b16fe6b5fbc6858.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.4522_uk-ua_620e20bb50fb8d2f.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega80850.fon_6087927d C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.3636_fr-fr_5e3c59b5070de539.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base_31bf3856ad364e35_10.0.19041.1288_none_8d0a87531015fc57.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_et-ee_a27d02ab81dd8cd2.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-userenv_31bf3856ad364e35_10.0.19041.572_none_6e154087aa2e1290.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-ngc-ksp_31bf3856ad364e35_10.0.19041.4474_none_ea8fa7a3fd76526c.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.746_none_89198a92b881b1ac.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.3636_none_3bda11122dc1e8f2_msobjs.dll_052c8a60 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4ebe9cd18298b39c_services.exe.mui_86ea5e71 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.19041.4291_ja-jp_2b02486700ec447e_mpssvc.dll.mui_4b194b5f C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_sk-sk_6190581d530ffdab.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-system-user-service_31bf3856ad364e35_10.0.19041.1_none_4b9e016846baf755.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.3636_none_462ebb646222aaed_adtschema.dll_4cae41ac C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_zh-cn_d8daa629f412e9ec.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..e-microsoftjhenghei_31bf3856ad364e35_10.0.19041.1_none_1b31c6067f7278ae.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..type-microsoftyahei_31bf3856ad364e35_10.0.19041.3636_none_af6ad8f3e56dbecf.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_de-de_7c55a85dce912c86.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip-driver_31bf3856ad364e35_10.0.19041.4355_none_4cb2a57b6c68d0ae_fwpkclnt.sys_cbbab82c C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c376a8b1d6cb8357.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.19041.1023_none_167a0dedb3a3167c.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_f80c2ec488f97398.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msvcp110_31bf3856ad364e35_10.0.19041.3636_none_624de1c9266a8199.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d88727f57b0f135a.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.19041.4529_none_e0ca4ed1c74976b7_defaultquestions.json_ad0d8052 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_08c2373a33a21a40.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_e4acb32056072b0a.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.3636_it-it_cc3af1788395d3f5.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-gb_c3d871e478025c14_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_10.0.19041.1_none_d228caa85018b41c.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-pshed_31bf3856ad364e35_10.0.19041.1_none_1c389b2600d2d78a_pshed.dll_f6ac239e C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rpc-local_31bf3856ad364e35_10.0.19041.1288_none_28c245a0fa440b78.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.19041.3636_en-us_6027380ae56e56f8.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-windowsuiimmersive_31bf3856ad364e35_10.0.19041.4355_none_a689f2ea89437567_windows.ui.immersive.dll.mun_6e49d10e C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.19041.3636_none_b8a60e95a159b2a2_fwremotesvr.dll_afaa5ea8 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.3636_none_2a0c80dc4367a318_atl.dll_0c7220db C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.3636_es-es_b6b2b8049ef06153_clipsvc.dll.mui_18823613 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-ndiswan_31bf3856ad364e35_10.0.19041.1151_none_6808a5d10c74690a.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-imm32_31bf3856ad364e35_10.0.19041.4474_none_db5c2fa2640c2a92_imm32.dll_53c2ab30 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_de-de_72a2c7869bb1e8b3.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_42d8e7001244e285.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_ja-jp_a59172735be4e7b4.manifest C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-csrss_31bf3856ad364e35_10.0.19041.3636_none_cd7b7a9b996a2282_csrss.exe_06529458 C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe

"C:\Users\Admin\AppData\Local\Temp\malware_006F0000_dump_SCY.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 210.254.1.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.11.108.188:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 craftingalegacy.com udp
US 50.87.137.113:443 craftingalegacy.com tcp
US 8.8.8.8:53 g2mediainc.com udp
DE 78.46.1.42:443 g2mediainc.com tcp
US 8.8.8.8:53 brinkdoepke.eu udp
DE 92.205.192.141:443 brinkdoepke.eu tcp
US 8.8.8.8:53 vipcarrental.ae udp
US 104.21.40.147:443 vipcarrental.ae tcp
US 8.8.8.8:53 42.1.46.78.in-addr.arpa udp
US 8.8.8.8:53 113.137.87.50.in-addr.arpa udp
US 8.8.8.8:53 141.192.205.92.in-addr.arpa udp
US 8.8.8.8:53 147.40.21.104.in-addr.arpa udp
US 8.8.8.8:53 autoteamlast.de udp
DE 37.202.7.169:443 autoteamlast.de tcp
US 8.8.8.8:53 169.7.202.37.in-addr.arpa udp
US 8.8.8.8:53 hostastay.com udp
SG 13.229.198.152:443 hostastay.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 gavelmasters.com udp
US 8.8.8.8:53 ronaldhendriks.nl udp
NL 185.103.16.188:443 ronaldhendriks.nl tcp
US 8.8.8.8:53 successcolony.com.ng udp
US 8.8.8.8:53 medicalsupportco.com udp
US 15.197.225.128:443 medicalsupportco.com tcp
US 8.8.8.8:53 kompresory-opravy.com udp
SK 37.9.175.133:443 kompresory-opravy.com tcp
US 8.8.8.8:53 188.16.103.185.in-addr.arpa udp
US 8.8.8.8:53 128.225.197.15.in-addr.arpa udp
US 8.8.8.8:53 sveneulberg.de udp
DE 89.110.179.179:443 sveneulberg.de tcp
US 8.8.8.8:53 www.sveneulberg.de udp
DE 89.110.179.179:443 www.sveneulberg.de tcp
US 8.8.8.8:53 133.175.9.37.in-addr.arpa udp
US 8.8.8.8:53 oththukaruva.com udp
US 8.8.8.8:53 voetbalhoogeveen.nl udp
US 8.8.8.8:53 selected-minds.de udp
DE 217.160.0.92:443 selected-minds.de tcp
US 8.8.8.8:53 179.179.110.89.in-addr.arpa udp
US 8.8.8.8:53 92.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 log-barn.co.uk udp
GB 213.175.208.90:443 log-barn.co.uk tcp
US 8.8.8.8:53 90.208.175.213.in-addr.arpa udp
US 8.8.8.8:53 fsbforsale.com udp
US 8.8.8.8:53 jobkiwi.com.ng udp
US 8.8.8.8:53 ivancacu.com udp
DE 217.160.0.237:443 ivancacu.com tcp
US 8.8.8.8:53 11.in.ua udp
UA 91.225.81.9:443 11.in.ua tcp
US 8.8.8.8:53 237.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 irizar.com udp
ES 194.30.99.95:443 irizar.com tcp
US 8.8.8.8:53 9.81.225.91.in-addr.arpa udp
US 8.8.8.8:53 www.irizar.com udp
ES 194.30.99.95:443 www.irizar.com tcp
US 8.8.8.8:53 95.99.30.194.in-addr.arpa udp
US 8.8.8.8:53 colored-shelves.com udp
US 8.8.8.8:53 soundseeing.net udp
DE 85.13.155.183:443 soundseeing.net tcp
US 8.8.8.8:53 scotlandsroute66.co.uk udp
US 172.67.204.127:443 scotlandsroute66.co.uk tcp
US 8.8.8.8:53 hawaiisteelbuilding.com udp
US 199.16.172.213:443 hawaiisteelbuilding.com tcp
US 8.8.8.8:53 183.155.13.85.in-addr.arpa udp
US 8.8.8.8:53 127.204.67.172.in-addr.arpa udp
US 8.8.8.8:53 mindfuelers.com udp
US 172.67.183.252:443 mindfuelers.com tcp
US 8.8.8.8:53 dentourage.com udp
US 8.8.8.8:53 252.183.67.172.in-addr.arpa udp
US 8.8.8.8:53 213.172.16.199.in-addr.arpa udp
US 8.8.8.8:53 hekecrm.com udp
CN 38.14.23.10:443 hekecrm.com tcp
US 8.8.8.8:53 finsahome.co.uk udp
DE 217.160.0.87:443 finsahome.co.uk tcp
US 8.8.8.8:53 87.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 cormanmarketing.com udp
US 34.174.215.122:443 cormanmarketing.com tcp
US 8.8.8.8:53 morgansconsult.com udp
GB 35.214.25.158:443 morgansconsult.com tcp
US 8.8.8.8:53 122.215.174.34.in-addr.arpa udp
US 8.8.8.8:53 dnqa.co.uk udp
US 107.178.223.183:443 dnqa.co.uk tcp
US 8.8.8.8:53 frimec-international.es udp
US 8.8.8.8:53 158.25.214.35.in-addr.arpa udp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
FR 188.165.33.133:443 frimec-international.es tcp
US 8.8.8.8:53 www.frimec-international.es udp
FR 188.165.33.133:443 www.frimec-international.es tcp
US 8.8.8.8:53 worldproskitour.com udp
US 143.198.7.126:443 worldproskitour.com tcp
US 8.8.8.8:53 133.33.165.188.in-addr.arpa udp
US 8.8.8.8:53 126.7.198.143.in-addr.arpa udp
US 8.8.8.8:53 csaballoons.com udp
CA 149.56.43.78:443 csaballoons.com tcp
US 8.8.8.8:53 78.43.56.149.in-addr.arpa udp
US 8.8.8.8:53 krishnabrawijaya.com udp
US 8.8.8.8:53 tatyanakopieva.ru udp
RU 77.222.40.195:443 tatyanakopieva.ru tcp
US 8.8.8.8:53 silkeight.com udp
US 8.8.8.8:53 195.40.222.77.in-addr.arpa udp
RO 188.213.19.166:443 silkeight.com tcp
US 8.8.8.8:53 166.19.213.188.in-addr.arpa udp
US 8.8.8.8:53 publicompserver.de udp
DE 195.3.195.201:443 publicompserver.de tcp
US 8.8.8.8:53 201.195.3.195.in-addr.arpa udp
US 8.8.8.8:53 letsstopsmoking.co.uk udp
GB 62.182.18.149:443 letsstopsmoking.co.uk tcp
US 8.8.8.8:53 149.18.182.62.in-addr.arpa udp
US 8.8.8.8:53 anleggsregisteret.no udp
NO 185.157.56.11:443 anleggsregisteret.no tcp
US 8.8.8.8:53 arearugcleaningnyc.com udp
US 8.8.8.8:53 11.56.157.185.in-addr.arpa udp
US 108.178.17.142:443 arearugcleaningnyc.com tcp
US 8.8.8.8:53 142.17.178.108.in-addr.arpa udp
US 8.8.8.8:53 diverfiestas.com.es udp
FR 176.31.163.21:443 diverfiestas.com.es tcp
US 8.8.8.8:53 lovcase.com udp
US 8.8.8.8:53 alltagsrassismus-entknoten.de udp
DE 91.210.225.23:443 alltagsrassismus-entknoten.de tcp
US 8.8.8.8:53 21.163.31.176.in-addr.arpa udp
US 8.8.8.8:53 www.alltagsrassismus-entknoten.de udp
DE 91.210.225.23:443 www.alltagsrassismus-entknoten.de tcp
US 8.8.8.8:53 lassocrm.com udp
US 209.87.149.78:443 lassocrm.com tcp
US 8.8.8.8:53 23.225.210.91.in-addr.arpa udp
US 8.8.8.8:53 boyfriendsgoal.site udp
US 8.8.8.8:53 mbuildinghomes.com udp
US 104.21.64.1:443 mbuildinghomes.com tcp
US 8.8.8.8:53 78.149.87.209.in-addr.arpa udp
US 8.8.8.8:53 santastoy.store udp
US 8.8.8.8:53 citiscapes-art.com udp
US 172.67.201.110:443 citiscapes-art.com tcp
US 8.8.8.8:53 1.64.21.104.in-addr.arpa udp
US 8.8.8.8:53 unislaw-narty.pl udp
PL 91.185.184.170:443 unislaw-narty.pl tcp
US 8.8.8.8:53 110.201.67.172.in-addr.arpa udp
US 8.8.8.8:53 envomask.com udp
US 172.81.116.97:443 envomask.com tcp
US 8.8.8.8:53 patassociation.com udp
FR 109.234.160.199:443 patassociation.com tcp
US 8.8.8.8:53 luvbec.com udp
US 8.8.8.8:53 199.160.234.109.in-addr.arpa udp
US 8.8.8.8:53 97.116.81.172.in-addr.arpa udp
US 8.8.8.8:53 170.184.185.91.in-addr.arpa udp
US 172.232.25.148:443 luvbec.com tcp
US 8.8.8.8:53 keuken-prijs.nl udp
US 8.8.8.8:53 therapybusinessacademy.com udp
DE 217.160.0.95:443 therapybusinessacademy.com tcp
US 8.8.8.8:53 baikalflot.ru udp
US 8.8.8.8:53 piestar.com udp
US 35.170.173.134:443 piestar.com tcp
US 8.8.8.8:53 148.25.232.172.in-addr.arpa udp
US 8.8.8.8:53 95.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 www.piestar.com udp
US 35.170.173.134:443 www.piestar.com tcp
US 8.8.8.8:53 134.173.170.35.in-addr.arpa udp
US 8.8.8.8:53 diakonie-weitramsdorf-sesslach.de udp
DE 78.46.133.97:443 diakonie-weitramsdorf-sesslach.de tcp
US 8.8.8.8:53 klapanvent.ru udp
US 8.8.8.8:53 97.133.46.78.in-addr.arpa udp
RU 77.222.40.14:443 klapanvent.ru tcp
US 8.8.8.8:53 fysiotherapierijnmond.nl udp
NL 178.128.138.113:443 fysiotherapierijnmond.nl tcp
US 8.8.8.8:53 www.fysiotherapierijnmond.nl udp
NL 178.128.138.113:443 www.fysiotherapierijnmond.nl tcp
US 8.8.8.8:53 14.40.222.77.in-addr.arpa udp
US 8.8.8.8:53 113.138.128.178.in-addr.arpa udp
US 8.8.8.8:53 avis.mantova.it udp
IT 217.64.195.176:443 avis.mantova.it tcp
US 8.8.8.8:53 176.195.64.217.in-addr.arpa udp
US 8.8.8.8:53 fla.se udp
SE 91.201.63.7:443 fla.se tcp
US 8.8.8.8:53 sjtpo.org udp
US 65.60.10.226:443 sjtpo.org tcp
US 8.8.8.8:53 7.63.201.91.in-addr.arpa udp
US 8.8.8.8:53 226.10.60.65.in-addr.arpa udp
US 8.8.8.8:53 kroophold-sjaelland.dk udp
DK 178.20.216.245:443 kroophold-sjaelland.dk tcp
US 8.8.8.8:53 245.216.20.178.in-addr.arpa udp
US 8.8.8.8:53 alharsunindo.com udp
SG 45.90.230.13:443 alharsunindo.com tcp
US 8.8.8.8:53 tothebackofthemoon.com udp
US 162.241.217.186:443 tothebackofthemoon.com tcp
US 8.8.8.8:53 13.230.90.45.in-addr.arpa udp
US 8.8.8.8:53 186.217.241.162.in-addr.arpa udp
US 8.8.8.8:53 chainofhopeeurope.eu udp
FR 51.15.159.75:443 chainofhopeeurope.eu tcp
US 8.8.8.8:53 smartmind.net udp
ES 82.98.154.79:443 smartmind.net tcp
US 8.8.8.8:53 75.159.15.51.in-addr.arpa udp
US 8.8.8.8:53 79.154.98.82.in-addr.arpa udp
US 8.8.8.8:53 akcadagofis.com udp
TR 5.180.184.153:443 akcadagofis.com tcp
US 8.8.8.8:53 bundan.com udp
NL 35.214.211.239:443 bundan.com tcp
US 8.8.8.8:53 153.184.180.5.in-addr.arpa udp
US 8.8.8.8:53 graygreenbiomedservices.com udp
US 8.8.8.8:53 dogsunlimitedguide.com udp
US 8.8.8.8:53 rvside.com udp
US 104.21.44.61:443 rvside.com tcp
US 8.8.8.8:53 239.211.214.35.in-addr.arpa udp
US 8.8.8.8:53 davedavisphotos.com udp
US 8.8.8.8:53 61.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 johnstonmingmanning.com udp
US 162.159.137.54:443 johnstonmingmanning.com tcp
US 8.8.8.8:53 mangimirossana.it udp
DE 80.240.20.142:443 mangimirossana.it tcp
US 8.8.8.8:53 welovecustomers.fr udp
FR 51.15.236.35:443 welovecustomers.fr tcp
US 8.8.8.8:53 kenmccallum.com udp
US 104.21.76.147:443 kenmccallum.com tcp
US 8.8.8.8:53 glas-kuck.de udp
DE 51.195.6.20:443 glas-kuck.de tcp
US 8.8.8.8:53 142.20.240.80.in-addr.arpa udp
US 8.8.8.8:53 54.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 147.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 35.236.15.51.in-addr.arpa udp
US 8.8.8.8:53 20.6.195.51.in-addr.arpa udp
US 8.8.8.8:53 theboardroomafrica.com udp
FR 160.153.133.193:443 theboardroomafrica.com tcp
US 8.8.8.8:53 193.133.153.160.in-addr.arpa udp
US 8.8.8.8:53 slideevents.be udp
DE 94.237.96.23:443 slideevents.be tcp
US 8.8.8.8:53 omegamarbella.com udp
NL 35.214.249.33:443 omegamarbella.com tcp
US 8.8.8.8:53 zdrowieszczecin.pl udp
US 8.8.8.8:53 23.96.237.94.in-addr.arpa udp
US 8.8.8.8:53 33.249.214.35.in-addr.arpa udp
PL 195.78.67.66:443 zdrowieszczecin.pl tcp
US 8.8.8.8:53 fotoslubna.com udp
US 8.8.8.8:53 mursall.de udp
DE 95.130.22.108:443 mursall.de tcp
US 8.8.8.8:53 forextimes.ru udp
RU 37.228.89.36:443 forextimes.ru tcp
US 8.8.8.8:53 108.22.130.95.in-addr.arpa udp
US 8.8.8.8:53 hiddensee-buhne11.de udp
DE 217.160.0.84:443 hiddensee-buhne11.de tcp
US 8.8.8.8:53 girlish.ae udp
US 8.8.8.8:53 84.0.160.217.in-addr.arpa udp
US 162.241.244.73:443 girlish.ae tcp
US 8.8.8.8:53 motocrosshideout.com udp
US 198.46.90.29:443 motocrosshideout.com tcp
US 8.8.8.8:53 73.244.241.162.in-addr.arpa udp
US 8.8.8.8:53 billyoart.com udp
US 104.18.127.49:443 billyoart.com tcp
US 8.8.8.8:53 eafx.pro udp
US 8.8.8.8:53 patriotcleaning.net udp
US 138.197.111.104:443 patriotcleaning.net tcp
US 8.8.8.8:53 renehartman.nl udp
NL 213.154.226.66:443 renehartman.nl tcp
US 8.8.8.8:53 29.90.46.198.in-addr.arpa udp
US 8.8.8.8:53 49.127.18.104.in-addr.arpa udp
US 8.8.8.8:53 104.111.197.138.in-addr.arpa udp
US 8.8.8.8:53 xn--80addfr4ahr.dp.ua udp
US 104.21.95.139:443 xn--80addfr4ahr.dp.ua tcp
US 8.8.8.8:53 66.226.154.213.in-addr.arpa udp
US 8.8.8.8:53 speakaudible.com udp
US 162.241.219.212:443 speakaudible.com tcp
US 8.8.8.8:53 magrinya.net udp
DE 217.160.0.18:443 magrinya.net tcp
US 8.8.8.8:53 139.95.21.104.in-addr.arpa udp
US 8.8.8.8:53 212.219.241.162.in-addr.arpa udp
US 8.8.8.8:53 der-stempelking.de udp
US 8.8.8.8:53 trivselsguide.dk udp
US 8.8.8.8:53 mondolandscapes.com udp
CA 104.152.168.18:443 mondolandscapes.com tcp
US 8.8.8.8:53 18.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 18.168.152.104.in-addr.arpa udp
US 8.8.8.8:53 nginx.com udp
US 159.60.134.0:443 nginx.com tcp
US 8.8.8.8:53 voice2biz.com udp
US 18.223.114.188:443 voice2biz.com tcp
US 8.8.8.8:53 0.134.60.159.in-addr.arpa udp
US 8.8.8.8:53 hoteltantra.com udp
FR 149.202.147.248:443 hoteltantra.com tcp
US 8.8.8.8:53 casinodepositors.com udp
US 3.94.41.167:443 casinodepositors.com tcp
US 8.8.8.8:53 248.147.202.149.in-addr.arpa udp
US 8.8.8.8:53 188.114.223.18.in-addr.arpa udp
US 52.86.6.113:443 casinodepositors.com tcp
US 8.8.8.8:53 bakingismyyoga.com udp
US 3.33.152.147:443 bakingismyyoga.com tcp

Files

memory/3016-0-0x0000000000120000-0x000000000014E000-memory.dmp

memory/3016-1-0x0000000000120000-0x000000000014E000-memory.dmp

C:\Users\115m82n89-readme.txt

MD5 2f5dcd9c90d2cc87a7be59dffd7fef4e
SHA1 0e2fe6cb8a1c5dd343f347b67775b9f3f64608d7
SHA256 87c15053af36a104b4adae60557e2089642cc0163987c86bb80d224677f69fa9
SHA512 f110ff4427d1ee1e31a8150cfba0c0222931cd60e757e779e7976762a13ce1328062d2dc0c183717b85c914cc6e8a4f27c1afe4bfc0de8c39ea0b986a247478d

memory/3060-374-0x0000019089AB0000-0x0000019089AB1000-memory.dmp

memory/3060-375-0x0000019089AB0000-0x0000019089AB1000-memory.dmp

memory/3060-376-0x0000019089AB0000-0x0000019089AB1000-memory.dmp

memory/3060-380-0x0000019089AB0000-0x0000019089AB1000-memory.dmp

memory/3060-381-0x0000019089AB0000-0x0000019089AB1000-memory.dmp

memory/3060-386-0x0000019089AB0000-0x0000019089AB1000-memory.dmp

memory/3060-385-0x0000019089AB0000-0x0000019089AB1000-memory.dmp

memory/3060-384-0x0000019089AB0000-0x0000019089AB1000-memory.dmp

memory/3060-383-0x0000019089AB0000-0x0000019089AB1000-memory.dmp

memory/3060-382-0x0000019089AB0000-0x0000019089AB1000-memory.dmp