Malware Analysis Report

2025-01-18 19:32

Sample ID 220124-bg7d2ahcd6
Target c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae
SHA256 c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae
Tags
6 730 sodinokibi ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae

Threat Level: Known bad

The file c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae was found to be: Known bad.

Malicious Activity Summary

6 730 sodinokibi ransomware

Sodinokibi family

Sodin,Sodinokibi,REvil

Sodinokibi/Revil sample

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-24 01:08

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-24 01:08

Reported

2022-01-24 01:24

Platform

win7-en-20211208

Max time kernel

129s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ReadOpen.png => \??\c:\users\admin\pictures\ReadOpen.png.6825sar84 C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File renamed C:\Users\Admin\Pictures\SkipBlock.tiff => \??\c:\users\admin\pictures\SkipBlock.tiff.6825sar84 C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\users\admin\pictures\SkipBlock.tiff C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File renamed C:\Users\Admin\Pictures\RepairEdit.tif => \??\c:\users\admin\pictures\RepairEdit.tif.6825sar84 C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w833shn4.bmp" C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\ApproveInvoke.vssx C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\LimitSearch.pptx C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\MergeSend.7z C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File created \??\c:\program files (x86)\6825sar84-readme.txt C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\OutFormat.docx C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\OutResolve.wav C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File created \??\c:\program files\6825sar84-readme.txt C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\CheckpointRead.tmp C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\FindUnprotect.vdw C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\RedoConnect.pcx C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\6825sar84-readme.txt C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\UseFormat.png C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\6825sar84-readme.txt C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\6825sar84-readme.txt C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\ApproveTest.wmf C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\FindAssert.png C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\ImportEnter.rle C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\MountAssert.xlsm C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\UnblockProtect.docx C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\4C27431717565A3A07F3E6D0032C4258949CF9EC C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\4C27431717565A3A07F3E6D0032C4258949CF9EC\Blob = 0300000001000000140000004c27431717565a3a07f3e6d0032c4258949cf9ec140000000100000014000000f5cdd53c0850f96a4f3ab797da5683e669d268f7040000000100000010000000342e1e02d91852d4a66f8a892167c8fa0f0000000100000020000000a2de33490c476d356e2dbc737c2779692249526b65ab8fba9a34280481c8bdfc19000000010000001000000014b989b317682449c76eb3c21dac16e7180000000100000010000000a823b4a20180beb460cab955c24d7e212000000001000000510400003082044d30820335a003020102020b040000000001444ef03631300d06092a864886f70d01010b05003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3134303232303130303030305a170d3234303232303130303030305a304c310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613122302006035504031319416c70686153534c204341202d20534841323536202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100da01ece4ec7360fb7e8f6ab7c617e3926432d4ac00d9a20fb9edee6b8a86ca9267d974d75d47023c8f40d69e6d14cdc3da2939a70f050a68a2661a1ec4b28b7658e5ab5d1d8f40b3398bef1e837d22d0e3a9002eec53cf62198544284cc027cb7b0eec10640010a405cca072be416c315b48e4b1ecb923eb554dd07d624aa5b4a5a45985c52591a6fea6099f06106d8f810c64405e73009ae02e65985410007098c8e1ed345fd89cc70dc0d6235945fcfe557a86ee946022f1aed1e65546f699c51b08745facb064848f89381ca1a790214f026ebde06167d4f842870f0af7c9046d2aa92fef42a5dfdda353db981e81f99a727b5ade4f3e7fa258a0e217ad670203010001a38201233082011f300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020100301d0603551d0e04160414f5cdd53c0850f96a4f3ab797da5683e669d268f730450603551d20043e303c303a0604551d20003032303006082b06010505070201162468747470733a2f2f7777772e616c70686173736c2e636f6d2f7265706f7369746f72792f30330603551d1f042c302a3028a026a0248622687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742e63726c303d06082b060105050701010431302f302d06082b060105050730018621687474703a2f2f6f6373702e676c6f62616c7369676e2e636f6d2f726f6f747231301f0603551d23041830168014607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010b050003820101006040681647e7168ddb5ca1562acbf45c9bb01ea24bf5cb023ff80ba1f2a742d4b74cebe36680f32543782e1b1756075218cbd1a8ece6fb733ea4628c80b4d2c51273a3d3fa0238be633d84b899c1f1baf79fc340d1581853c162ddaf18427f344ec543d571b03000c7e390ae3f578697ceea0c128e2270e366a7547f2e28cbd454d0b31e626708f927e1cbe366b8241b896a894465f2d94cd2581c8c4ec095a1d4ef672f3820e82eff9651f0bad83d927047651c9e7372b4600c5ce2d17376e0af4ee2e537a5452f8a233e87c730e631387cf4dd52caf353042557566694e80beee603144eeefd6d94649e5ece79d4b2a6cf40b144a83e87195ee9f821165953 C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe

"C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pixelhealth.net udp
GB 109.68.33.64:443 pixelhealth.net tcp
US 8.8.8.8:53 professionetata.com udp
US 8.8.8.8:53 carmel-york.com udp
US 34.102.136.180:443 carmel-york.com tcp
US 34.102.136.180:443 carmel-york.com tcp
US 8.8.8.8:53 xn--80abehgab4ak0ddz.xn--p1ai udp
RU 92.53.96.115:443 xn--80abehgab4ak0ddz.xn--p1ai tcp
RU 92.53.96.115:443 xn--80abehgab4ak0ddz.xn--p1ai tcp
US 8.8.8.8:53 pazarspor.org.tr udp
TR 213.128.76.181:443 pazarspor.org.tr tcp
TR 213.128.76.181:443 pazarspor.org.tr tcp
US 8.8.8.8:53 flossmoordental.com udp
US 173.255.198.240:443 flossmoordental.com tcp
US 8.8.8.8:53 iexpert99.com udp
US 8.8.8.8:53 satoblog.org udp
JP 103.141.96.74:443 satoblog.org tcp
JP 103.141.96.74:443 satoblog.org tcp
US 8.8.8.8:53 zumrutkuyutemel.com udp
ES 185.107.227.241:443 zumrutkuyutemel.com tcp
US 8.8.8.8:53 thenalpa.com udp
US 104.131.161.191:443 thenalpa.com tcp
US 8.8.8.8:53 dieetuniversiteit.nl udp
US 104.21.36.188:443 dieetuniversiteit.nl tcp
US 8.8.8.8:53 bellesiniacademy.org udp
US 198.71.233.64:443 bellesiniacademy.org tcp
US 198.71.233.64:443 bellesiniacademy.org tcp
US 8.8.8.8:53 airserviceunlimited.com udp
DE 78.46.155.135:443 airserviceunlimited.com tcp
US 8.8.8.8:53 acibademmobil.com.tr udp
TR 46.45.134.70:443 acibademmobil.com.tr tcp
TR 46.45.134.70:443 acibademmobil.com.tr tcp
US 8.8.8.8:53 epsondriversforwindows.com udp
US 8.8.8.8:53 aktivfriskcenter.se udp
US 162.159.134.42:443 aktivfriskcenter.se tcp
US 162.159.134.42:443 aktivfriskcenter.se tcp
US 8.8.8.8:53 ideamode.com udp
FR 92.205.17.192:443 ideamode.com tcp
US 8.8.8.8:53 marcandy.com udp
US 52.14.173.103:443 marcandy.com tcp
US 3.138.251.142:443 marcandy.com tcp
US 3.140.179.210:443 marcandy.com tcp
US 8.8.8.8:53 hiddensee-buhne11.de udp
DE 217.160.0.84:443 hiddensee-buhne11.de tcp
DE 217.160.0.84:443 hiddensee-buhne11.de tcp
US 8.8.8.8:53 livedeveloper.com udp
US 107.161.23.124:443 livedeveloper.com tcp
US 107.161.23.124:443 livedeveloper.com tcp
US 8.8.8.8:53 fidelitytitleoregon.com udp
US 72.52.196.16:443 fidelitytitleoregon.com tcp
US 72.52.196.16:443 fidelitytitleoregon.com tcp
US 8.8.8.8:53 awag-blog.de udp
DE 62.113.233.7:443 awag-blog.de tcp
DE 62.113.233.7:443 awag-blog.de tcp
US 8.8.8.8:53 customroasts.com udp
US 35.209.109.205:443 customroasts.com tcp
US 35.209.109.205:443 customroasts.com tcp
US 8.8.8.8:53 itheroes.dk udp
NL 178.62.235.8:443 itheroes.dk tcp
US 8.8.8.8:53 k-zubki.ru udp
GB 185.215.4.16:443 k-zubki.ru tcp
US 8.8.8.8:53 lsngroupe.com udp
FR 213.186.33.5:443 lsngroupe.com tcp
US 8.8.8.8:53 apiarista.de udp
DE 212.8.207.5:443 apiarista.de tcp
DE 212.8.207.5:443 apiarista.de tcp
US 8.8.8.8:53 xn--80addfr4ahr.dp.ua udp
UA 185.104.45.19:443 xn--80addfr4ahr.dp.ua tcp
US 8.8.8.8:53 palmenhaus-erfurt.de udp
DE 217.160.0.35:443 palmenhaus-erfurt.de tcp
DE 217.160.0.35:443 palmenhaus-erfurt.de tcp
US 8.8.8.8:53 forskolinslimeffect.net udp
US 8.8.8.8:53 sharonalbrightdds.com udp
US 151.101.2.159:443 sharonalbrightdds.com tcp
US 151.101.2.159:443 sharonalbrightdds.com tcp
US 8.8.8.8:53 line-x.co.uk udp
US 172.67.145.210:443 line-x.co.uk tcp
US 8.8.8.8:53 mrkluttz.com udp
US 8.8.8.8:53 mensemetgesigte.co.za udp
GB 77.72.0.150:443 mensemetgesigte.co.za tcp
GB 77.72.0.150:443 mensemetgesigte.co.za tcp
US 8.8.8.8:53 dennisverschuur.com udp
DK 46.30.215.120:443 dennisverschuur.com tcp
DK 46.30.215.120:443 dennisverschuur.com tcp
US 8.8.8.8:53 qrs-international.com udp
CH 194.56.189.177:443 qrs-international.com tcp
CH 194.56.189.177:443 qrs-international.com tcp
US 8.8.8.8:53 auberives-sur-vareze.fr udp
FR 164.132.235.17:443 auberives-sur-vareze.fr tcp
US 8.8.8.8:53 frimec-international.es udp
FR 188.165.33.133:443 frimec-international.es tcp
US 8.8.8.8:53 lollachiro.com udp
US 172.67.132.243:443 lollachiro.com tcp
US 8.8.8.8:53 www.lollachiro.com udp
US 104.21.5.43:443 www.lollachiro.com tcp
US 8.8.8.8:53 sprintcoach.com udp
US 50.116.64.37:443 sprintcoach.com tcp
US 50.116.64.37:443 sprintcoach.com tcp
US 8.8.8.8:53 frameshift.it udp
IT 86.107.32.48:443 frameshift.it tcp
IT 86.107.32.48:443 frameshift.it tcp
US 8.8.8.8:53 drbenveniste.com udp
US 108.160.146.5:443 drbenveniste.com tcp
US 8.8.8.8:53 marmarabasin.com udp
TR 185.99.199.148:443 marmarabasin.com tcp
US 8.8.8.8:53 secure2.alphassl.com udp
US 104.18.20.226:80 secure2.alphassl.com tcp
US 8.8.8.8:53 ncjc.ca udp
CA 54.39.73.56:443 ncjc.ca tcp
US 8.8.8.8:53 vitormmcosta.com udp
NL 37.139.3.100:443 vitormmcosta.com tcp
NL 37.139.3.100:443 vitormmcosta.com tcp
US 8.8.8.8:53 factorywizuk.com udp
DK 46.30.215.191:443 factorywizuk.com tcp
DK 46.30.215.191:443 factorywizuk.com tcp
US 8.8.8.8:53 thisprettyhair.com udp
US 204.11.56.48:443 thisprettyhair.com tcp
US 8.8.8.8:53 diakonie-weitramsdorf-sesslach.de udp
DE 37.218.255.162:443 diakonie-weitramsdorf-sesslach.de tcp
DE 37.218.255.162:443 diakonie-weitramsdorf-sesslach.de tcp
US 8.8.8.8:53 happycatering.de udp
DE 185.30.32.35:443 happycatering.de tcp
DE 185.30.32.35:443 happycatering.de tcp
US 8.8.8.8:53 sachainchiuk.com udp
US 8.8.8.8:53 hutchstyle.co.uk udp
GB 51.195.234.92:443 hutchstyle.co.uk tcp
GB 51.195.234.92:443 hutchstyle.co.uk tcp
US 8.8.8.8:53 muller.nl udp
NL 31.7.1.101:443 muller.nl tcp
NL 31.7.1.101:443 muller.nl tcp
US 8.8.8.8:53 latteswithleslie.com udp
US 198.46.93.64:443 latteswithleslie.com tcp
US 198.46.93.64:443 latteswithleslie.com tcp
US 8.8.8.8:53 agencewho-aixenprovence.fr udp
US 8.8.8.8:53 sololibrerie.it udp
NL 178.62.210.148:443 sololibrerie.it tcp

Files

memory/1892-54-0x0000000076C91000-0x0000000076C93000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-24 01:08

Reported

2022-01-24 01:25

Platform

win10-en-20211208

Max time kernel

173s

Max time network

189s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\CompareExpand.png => \??\c:\users\admin\pictures\CompareExpand.png.z49aex C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeDismount.tif => \??\c:\users\admin\pictures\ResumeDismount.tif.z49aex C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File renamed C:\Users\Admin\Pictures\SavePop.tif => \??\c:\users\admin\pictures\SavePop.tif.z49aex C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File renamed C:\Users\Admin\Pictures\SetSuspend.raw => \??\c:\users\admin\pictures\SetSuspend.raw.z49aex C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File renamed C:\Users\Admin\Pictures\SendMeasure.crw => \??\c:\users\admin\pictures\SendMeasure.crw.z49aex C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\users\admin\pictures\UnregisterMount.tiff C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File renamed C:\Users\Admin\Pictures\MountPop.crw => \??\c:\users\admin\pictures\MountPop.crw.z49aex C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File renamed C:\Users\Admin\Pictures\PingConvert.tif => \??\c:\users\admin\pictures\PingConvert.tif.z49aex C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File renamed C:\Users\Admin\Pictures\UnregisterMount.tiff => \??\c:\users\admin\pictures\UnregisterMount.tiff.z49aex C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6meft0s1.bmp" C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\ConvertFromUnpublish.3g2 C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\CopyEdit.png C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\SendDisconnect.dot C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\StepSuspend.ods C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\SwitchConvertTo.svgz C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\ConvertFromExpand.mhtml C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\OutLock.au3 C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\SearchApprove.reg C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\StopGrant.vdx C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\UninstallConvertFrom.rle C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\GrantInvoke.asp C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File created \??\c:\program files\z49aex-readme.txt C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\ConvertToClose.tif C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\FormatUnprotect.pcx C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\FormatUpdate.rtf C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\SetSkip.png C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File opened for modification \??\c:\program files\TraceSend.au3 C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A
File created \??\c:\program files (x86)\z49aex-readme.txt C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe

"C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pixelhealth.net udp
GB 109.68.33.64:443 pixelhealth.net tcp
US 8.8.8.8:53 professionetata.com udp
US 8.8.8.8:53 carmel-york.com udp
US 34.102.136.180:443 carmel-york.com tcp
US 34.102.136.180:443 carmel-york.com tcp
US 34.102.136.180:443 carmel-york.com tcp

Files

N/A