Malware Analysis Report

2025-01-18 20:08

Sample ID 220124-bgh2fahbhl
Target c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97
SHA256 c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97
Tags
sodinokibi ransomware suricata 19 36
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97

Threat Level: Known bad

The file c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97 was found to be: Known bad.

Malicious Activity Summary

sodinokibi ransomware suricata 19 36

Sodinokibi family

Sodinokibi/Revil sample

suricata: ET MALWARE Known Sinkhole Response Header

Sodin,Sodinokibi,REvil

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-24 01:06

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-24 01:06

Reported

2022-01-24 01:23

Platform

win7-en-20211208

Max time kernel

147s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\InvokeUnblock.tif => \??\c:\users\admin\pictures\InvokeUnblock.tif.xa6c4m2u C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File renamed C:\Users\Admin\Pictures\RevokeEnter.tif => \??\c:\users\admin\pictures\RevokeEnter.tif.xa6c4m2u C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\p543q.bmp" C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\xa6c4m2u-readme.txt C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceqp35.dll C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\ReceiveEnable.vsdm C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\SuspendInvoke.cab C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlcese35.dll C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\xa6c4m2u-readme.txt C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\d838fa5b.lock C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File created \??\c:\program files\xa6c4m2u-readme.txt C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\ClearStep.docm C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\InvokeSend.sys C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\MergeInitialize.php C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\RedoDebug.xlsx C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\RemoveStop.mpeg2 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File created \??\c:\program files (x86)\xa6c4m2u-readme.txt C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\SyncExit.wma C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\DenyDisconnect.midi C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\ExitAdd.midi C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\InitializeEnable.ttc C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\ResolveOpen.wdp C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceoledb35.dll C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File created \??\c:\program files\d838fa5b.lock C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\AssertResume.gif C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\ConvertToRead.vsd C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\d838fa5b.lock C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlcecompact35.dll C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File created \??\c:\program files (x86)\d838fa5b.lock C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\ConvertToTrace.wmf C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\DebugUnlock.odp C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\DismountDisable.wax C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\GrantAssert.cmd C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\d838fa5b.lock C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\xa6c4m2u-readme.txt C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceca35.dll C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceer35EN.dll C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceme35.dll C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe

"C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trainiumacademy.com udp
SG 35.213.151.161:443 trainiumacademy.com tcp
SG 35.213.151.161:443 trainiumacademy.com tcp
US 8.8.8.8:53 elliemaccreative.wordpress.com udp
US 192.0.78.12:443 elliemaccreative.wordpress.com tcp
US 192.0.78.12:443 elliemaccreative.wordpress.com tcp
US 8.8.8.8:53 ronielyn.com udp
US 8.8.8.8:53 kompresory-opravy.com udp
SK 37.9.175.133:443 kompresory-opravy.com tcp
SK 37.9.175.133:443 kompresory-opravy.com tcp
US 8.8.8.8:53 mondolandscapes.com udp
CA 104.152.168.18:443 mondolandscapes.com tcp
CA 104.152.168.18:443 mondolandscapes.com tcp
US 8.8.8.8:53 biodentify.ai udp
NL 167.71.72.208:443 biodentify.ai tcp
NL 167.71.72.208:443 biodentify.ai tcp
US 8.8.8.8:53 ruggestar.ch udp
CH 92.43.216.137:443 ruggestar.ch tcp
US 8.8.8.8:53 chris-anne.com udp
US 192.124.249.118:443 chris-anne.com tcp
US 192.124.249.118:443 chris-anne.com tcp
US 8.8.8.8:53 happylublog.wordpress.com udp
US 192.0.78.12:443 happylublog.wordpress.com tcp
US 192.0.78.12:443 happylublog.wordpress.com tcp
US 8.8.8.8:53 rarefoods.ro udp
US 8.8.8.8:53 fazagostar.co udp
IR 89.42.209.236:443 fazagostar.co tcp
IR 89.42.209.236:443 fazagostar.co tcp
US 8.8.8.8:53 auto-opel.ro udp
RO 185.165.185.192:443 auto-opel.ro tcp
RO 185.165.185.192:443 auto-opel.ro tcp
US 8.8.8.8:53 maryairbnb.wordpress.com udp
US 192.0.78.12:443 maryairbnb.wordpress.com tcp
US 192.0.78.12:443 maryairbnb.wordpress.com tcp
US 8.8.8.8:53 jacquesgarcianoto.com udp
US 8.8.8.8:53 makingmillionaires.net udp
US 8.8.8.8:53 precisetemp.com udp
US 162.213.253.35:443 precisetemp.com tcp
US 162.213.253.35:443 precisetemp.com tcp
US 8.8.8.8:53 smarttourism.academy udp
US 8.8.8.8:53 fitnessblenderstory.com udp
US 8.8.8.8:53 newonestop.com udp
DE 161.97.115.17:443 newonestop.com tcp
DE 161.97.115.17:443 newonestop.com tcp
US 8.8.8.8:53 mgimalta.com udp
US 162.159.134.42:443 mgimalta.com tcp
US 162.159.134.42:443 mgimalta.com tcp
US 8.8.8.8:53 schluesseldienste-hannover.de udp
DE 85.214.159.1:443 schluesseldienste-hannover.de tcp
US 8.8.8.8:53 craftstone.co.nz udp
NZ 103.96.117.53:443 craftstone.co.nz tcp
NZ 103.96.117.53:443 craftstone.co.nz tcp
US 8.8.8.8:53 customroasts.com udp
US 35.209.109.205:443 customroasts.com tcp
US 35.209.109.205:443 customroasts.com tcp
US 8.8.8.8:53 kerstliedjeszingen.nl udp
NL 193.34.167.86:443 kerstliedjeszingen.nl tcp
NL 193.34.167.86:443 kerstliedjeszingen.nl tcp
US 8.8.8.8:53 powershell.su udp
DE 54.38.34.173:443 powershell.su tcp
DE 54.38.34.173:443 powershell.su tcp
US 8.8.8.8:53 teutoradio.de udp
DE 217.160.0.51:443 teutoradio.de tcp
DE 217.160.0.51:443 teutoradio.de tcp
US 8.8.8.8:53 boyfriendsgoal.site udp
US 8.8.8.8:53 dogsunlimitedguide.com udp
US 188.114.96.0:443 dogsunlimitedguide.com tcp
US 8.8.8.8:53 tecleados.com udp
US 69.46.28.138:443 tecleados.com tcp
US 69.46.28.138:443 tecleados.com tcp
US 8.8.8.8:53 epicjapanart.com udp
US 8.8.8.8:53 3daywebs.com udp
US 152.44.33.230:443 3daywebs.com tcp
US 152.44.33.230:443 3daywebs.com tcp
US 8.8.8.8:53 jollity.hu udp
HU 185.33.54.20:443 jollity.hu tcp
HU 185.33.54.20:443 jollity.hu tcp
US 8.8.8.8:53 baptistdistinctives.org udp
US 173.236.197.54:443 baptistdistinctives.org tcp
US 173.236.197.54:443 baptistdistinctives.org tcp
US 8.8.8.8:53 der-stempelking.de udp
US 8.8.8.8:53 vvego.com udp
US 35.209.63.93:443 vvego.com tcp
US 35.209.63.93:443 vvego.com tcp
US 8.8.8.8:53 blueridgeheritage.com udp
US 104.244.120.67:443 blueridgeheritage.com tcp
US 8.8.8.8:53 pisofare.co udp
US 172.67.198.48:443 pisofare.co tcp
US 8.8.8.8:53 cmeow.com udp
CA 165.227.40.200:443 cmeow.com tcp
CA 165.227.40.200:443 cmeow.com tcp
US 8.8.8.8:53 xn--80addfr4ahr.dp.ua udp
UA 185.104.45.19:443 xn--80addfr4ahr.dp.ua tcp
US 8.8.8.8:53 rolleepollee.com udp
US 162.212.130.27:443 rolleepollee.com tcp
US 8.8.8.8:53 kickittickets.com udp
US 35.209.160.138:443 kickittickets.com tcp
US 35.209.160.138:443 kickittickets.com tcp
US 8.8.8.8:53 kryddersnapsen.dk udp
US 104.21.45.164:443 kryddersnapsen.dk tcp
US 104.21.45.164:443 kryddersnapsen.dk tcp
US 8.8.8.8:53 kenmccallum.com udp
US 172.67.196.62:443 kenmccallum.com tcp
US 172.67.196.62:443 kenmccallum.com tcp
US 8.8.8.8:53 cc-experts.de udp
FR 5.175.14.108:443 cc-experts.de tcp
FR 5.175.14.108:443 cc-experts.de tcp
US 8.8.8.8:53 amco.net.au udp
US 104.26.1.12:443 amco.net.au tcp
US 8.8.8.8:53 smartspeak.com udp
AU 35.201.0.0:443 smartspeak.com tcp
US 8.8.8.8:53 christianscholz.de udp
DE 62.108.32.132:443 christianscholz.de tcp
DE 62.108.32.132:443 christianscholz.de tcp
US 8.8.8.8:53 hutchstyle.co.uk udp
GB 51.195.234.92:443 hutchstyle.co.uk tcp
GB 51.195.234.92:443 hutchstyle.co.uk tcp
US 8.8.8.8:53 onlinemarketingsurgery.co.uk udp
US 104.21.52.187:443 onlinemarketingsurgery.co.uk tcp
US 8.8.8.8:53 golfclublandgoednieuwkerk.nl udp
NL 77.94.248.219:443 golfclublandgoednieuwkerk.nl tcp
NL 77.94.248.219:443 golfclublandgoednieuwkerk.nl tcp
US 8.8.8.8:53 qrs-international.com udp
CH 194.56.189.177:443 qrs-international.com tcp
CH 194.56.189.177:443 qrs-international.com tcp
US 8.8.8.8:53 markseymourphotography.co.uk udp
GB 51.89.152.167:443 markseymourphotography.co.uk tcp
GB 51.89.152.167:443 markseymourphotography.co.uk tcp
US 8.8.8.8:53 encounter-p.net udp
JP 150.95.55.170:443 encounter-p.net tcp
US 8.8.8.8:53 premier-iowa.com udp
US 45.60.150.56:443 premier-iowa.com tcp
US 45.60.150.56:443 premier-iowa.com tcp
US 8.8.8.8:53 citydogslife.com udp
US 50.16.49.81:443 citydogslife.com tcp
US 8.8.8.8:53 mike.matthies.de udp
DE 81.18.99.16:443 mike.matthies.de tcp
DE 81.18.99.16:443 mike.matthies.de tcp
US 8.8.8.8:53 digitale-elite.de udp
US 104.21.85.80:443 digitale-elite.de tcp
US 8.8.8.8:53 www.digitale-elite.com udp
US 104.21.94.35:443 www.digitale-elite.com tcp
US 8.8.8.8:53 housesofwa.com udp
US 67.227.153.112:443 housesofwa.com tcp
US 67.227.153.112:443 housesofwa.com tcp
US 8.8.8.8:53 stanleyqualitysystems.com udp
US 67.20.76.129:443 stanleyqualitysystems.com tcp
US 67.20.76.129:443 stanleyqualitysystems.com tcp
AU 202.87.31.222:443 beandrivingschool.com.au tcp
US 8.8.8.8:53 frimec-international.es udp
FR 188.165.33.133:443 frimec-international.es tcp
US 8.8.8.8:53 sochi-okna23.ru udp
RU 78.110.50.104:443 sochi-okna23.ru tcp
RU 78.110.50.104:443 sochi-okna23.ru tcp
US 8.8.8.8:53 ox-home.com udp
DE 217.160.0.83:443 ox-home.com tcp
DE 217.160.0.83:443 ox-home.com tcp
US 8.8.8.8:53 michal-s.co.il udp
US 192.81.213.222:443 michal-s.co.il tcp
US 8.8.8.8:53 affligemsehondenschool.be udp
BE 193.30.110.118:443 affligemsehondenschool.be tcp
US 8.8.8.8:53 slotspinner.com udp
US 104.21.29.202:443 slotspinner.com tcp
US 8.8.8.8:53 computer-place.de udp
DE 85.214.125.43:443 computer-place.de tcp
DE 85.214.125.43:443 computer-place.de tcp
US 8.8.8.8:53 nevadaruralhousingstudies.org udp
US 70.32.84.9:443 nevadaruralhousingstudies.org tcp
US 8.8.8.8:53 marcandy.com udp
US 3.138.251.142:443 marcandy.com tcp
US 52.14.173.103:443 marcandy.com tcp
US 3.140.179.210:443 marcandy.com tcp
US 8.8.8.8:53 centuryvisionglobal.com udp
US 100.21.76.30:443 centuryvisionglobal.com tcp
US 100.21.76.30:443 centuryvisionglobal.com tcp
US 8.8.8.8:53 amyandzac.com udp
US 50.116.63.19:443 amyandzac.com tcp
US 50.116.63.19:443 amyandzac.com tcp
US 8.8.8.8:53 globalcompliancenews.com udp
US 23.100.43.208:443 globalcompliancenews.com tcp
US 23.100.43.208:443 globalcompliancenews.com tcp
US 8.8.8.8:53 ramirezprono.com udp
US 104.21.0.143:443 ramirezprono.com tcp
US 8.8.8.8:53 lidkopingsnytt.nu udp
SE 185.35.236.51:443 lidkopingsnytt.nu tcp
SE 185.35.236.51:443 lidkopingsnytt.nu tcp
US 8.8.8.8:53 smartmind.net udp
ES 82.98.154.79:443 smartmind.net tcp
US 8.8.8.8:53 kartuindonesia.com udp
SG 151.106.118.140:443 kartuindonesia.com tcp
US 8.8.8.8:53 ntinasfiloxenia.gr udp
FI 95.216.12.233:443 ntinasfiloxenia.gr tcp
FI 95.216.12.233:443 ntinasfiloxenia.gr tcp
US 8.8.8.8:53 queertube.net udp
US 172.67.205.1:443 queertube.net tcp
US 8.8.8.8:53 lollachiro.com udp
US 172.67.132.243:443 lollachiro.com tcp
US 8.8.8.8:53 leloupblanc.gr udp
US 8.8.8.8:53 cainlaw-okc.com udp
US 54.175.148.58:443 cainlaw-okc.com tcp
US 8.8.8.8:53 rizplakatjaya.com udp
US 104.21.31.140:443 rizplakatjaya.com tcp
US 8.8.8.8:53 zdrowieszczecin.pl udp
PL 46.242.240.248:443 zdrowieszczecin.pl tcp
PL 46.242.240.248:443 zdrowieszczecin.pl tcp
US 8.8.8.8:53 thehovecounsellingpractice.co.uk udp
US 170.39.76.102:443 thehovecounsellingpractice.co.uk tcp
US 170.39.76.102:443 thehovecounsellingpractice.co.uk tcp
US 8.8.8.8:53 lifeinbreaths.com udp
US 66.235.200.145:443 lifeinbreaths.com tcp
US 8.8.8.8:53 nxtstg.org udp
DE 78.47.106.17:443 nxtstg.org tcp
US 8.8.8.8:53 vitale-arbeitskultur.destatic udp
US 8.8.8.8:53 jobscore.com udp
US 104.20.3.245:443 jobscore.com tcp
US 104.20.3.245:443 jobscore.com tcp
US 8.8.8.8:53 shrinkingplanet.com udp
US 104.26.11.49:443 shrinkingplanet.com tcp
US 8.8.8.8:53 voetbalhoogeveen.nl udp
US 8.8.8.8:53 patriotcleaning.net udp
US 104.21.39.31:443 patriotcleaning.net tcp
US 8.8.8.8:53 pro-gamer.pl udp
DE 195.201.109.119:443 pro-gamer.pl tcp
DE 195.201.109.119:443 pro-gamer.pl tcp
US 8.8.8.8:53 jeanmonti.com udp
US 162.144.22.120:443 jeanmonti.com tcp
US 162.144.22.120:443 jeanmonti.com tcp
US 8.8.8.8:53 animation-pro.co.uk udp
US 8.8.8.8:53 saint-malo-developpement.fr udp
FR 51.68.23.33:443 saint-malo-developpement.fr tcp
FR 51.68.23.33:443 saint-malo-developpement.fr tcp
US 8.8.8.8:53 bringmehope.org udp
US 45.60.97.92:443 bringmehope.org tcp
US 45.60.97.92:443 bringmehope.org tcp
US 8.8.8.8:53 pajagus.fr udp
FR 107.191.63.1:443 pajagus.fr tcp
US 8.8.8.8:53 atrgroup.it udp
DE 185.53.177.14:443 atrgroup.it tcp
US 8.8.8.8:53 proffteplo.com udp
ES 185.107.227.241:443 proffteplo.com tcp
US 8.8.8.8:53 spirello.nl udp
NL 95.170.72.128:443 spirello.nl tcp
NL 95.170.72.128:443 spirello.nl tcp
US 8.8.8.8:53 arearugcleaningnyc.com udp
US 108.178.17.142:443 arearugcleaningnyc.com tcp
US 108.178.17.142:443 arearugcleaningnyc.com tcp
US 8.8.8.8:53 hotjapaneselesbian.com udp
US 8.8.8.8:53 benchbiz.com udp
US 75.127.74.35:443 benchbiz.com tcp
US 75.127.74.35:443 benchbiz.com tcp
US 8.8.8.8:53 outstandingminialbums.com udp
US 159.203.65.67:443 outstandingminialbums.com tcp
US 8.8.8.8:53 catalyseurdetransformation.com udp
FR 46.105.57.169:443 catalyseurdetransformation.com tcp
US 8.8.8.8:53 fsbforsale.com udp
US 8.8.8.8:53 dantreranch.com udp
US 50.116.22.24:443 dantreranch.com tcp
US 8.8.8.8:53 rentsportsequip.com udp
FR 62.138.184.187:443 rentsportsequip.com tcp
FR 62.138.184.187:443 rentsportsequip.com tcp
US 8.8.8.8:53 scotlandsroute66.co.uk udp
FR 92.204.68.14:443 scotlandsroute66.co.uk tcp
FR 92.204.68.14:443 scotlandsroute66.co.uk tcp
US 8.8.8.8:53 molinum.pt udp

Files

memory/1876-54-0x0000000076121000-0x0000000076123000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-24 01:06

Reported

2022-01-24 01:23

Platform

win10-en-20211208

Max time kernel

169s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

suricata: ET MALWARE Known Sinkhole Response Header

suricata

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\RedoGet.png => \??\c:\users\admin\pictures\RedoGet.png.k8v6l7fv7x C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9t817m2f38w4.bmp" C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\MeasureMount.ico C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File created \??\c:\program files\k8v6l7fv7x-readme.txt C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\NewPush.odp C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\SkipDeny.M2TS C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File created \??\c:\program files\d838fa5b.lock C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\AssertUnlock.mp3 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\ExpandLimit.tiff C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\FindClear.tif C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\OpenNew.xps C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\RestartClose.pdf C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\SwitchUse.mpeg C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\UnlockRestore.pdf C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\BlockSubmit.mhtml C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\PublishRevoke.odt C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\ResetInitialize.ps1 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\UnpublishTest.vb C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File created \??\c:\program files (x86)\k8v6l7fv7x-readme.txt C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\MountProtect.pdf C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\BackupCompress.dwg C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File created \??\c:\program files (x86)\d838fa5b.lock C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\CompleteBlock.html C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\ReceiveExpand.easmx C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\AssertSwitch.dot C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\ConfirmSwitch.jtx C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\ExportResize.mht C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\SearchLimit.ini C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\UnprotectRead.vstx C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
File opened for modification \??\c:\program files\WriteCopy.pps C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 5c000000010000000400000000080000040000000100000010000000d63981c6527e9669fcfcca66ed05f296030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e1d000000010000001000000054e2cd85ba79cda018fed9e6a863aa461400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b276200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f553000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000132020004700320000000f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b0519000000010000001000000060e2dc65295f1062e558f3fef235ed3c2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734\Blob = 030000000100000014000000247106a405b288a46e70a0262717162d0903e734140000000100000014000000b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea0400000001000000100000001a9a69a81f6da92d87f7694e16d8b8790f00000001000000300000009e9609372f45b5101548e8af9a20e0dbf5932dea9b9af86759c2029bc3b53e306e6491f6b15bf00b1e2dee3bb8d43d2219000000010000001000000043e6fa09a3b9d0de6fbe3aacd184c8fd5c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000ed050000308205e9308203d1a003020102021005e4dc3b9438ab3b8597cba6a19850e3300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3134303931323030303030305a170d3234303931313233353935395a305f310b3009060355040613024652310e300c060355040813055061726973310e300c060355040713055061726973310e300c060355040a130547616e64693120301e0603550403131747616e6469205374616e646172642053534c204341203230820122300d06092a864886f70d01010105000382010f003082010a028201010094042da6799574ffd5003cf5aed894b1297cc08f0b0b89b98283976e3728f5a21acfd2920b9ba8d387947384109fdc35cbc22d92ac21b9cb3bfc40c1c18321f0bff8f69cfa9c8210c0d08e4ee50d4cb0915c90b4a4405116dae484122d055ca11f17192451aa7aeae1071b868d0172f2e7d48323399ee0e14c1f6b22a3b41066b0ed8296d76e6ab4f23fb542fcdd8ab5abba2d1d3a759b31dc3e9dac5bd3410d6cb01bf53af579ea21a2f8f433524b242d1ea499b16d48bcb812fe72707cf7fb0275f48dded6dac0a0321a52df386b2e45383f3f049600fda1f4a2bbd517d6277c1b5859955e8a12fd9cab813e52284851856bf391b2863f29b56e0362eed6050203010001a382017530820171301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b2310102021a3008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201005867fd72b26ad77c6196197ed94346d1267dc853fa66b06b2da7d3aa56f73a88d03b72c950fdf759b2aa68f58c7303bb956517ce2f1cdd9813a291c9eea1406e3c98d65cf3b2223c2dee1ba4e1de202416f28c1173913af6face240287ca93ecb4b6c81617c572fc2740f613fe93a69d51ef3c2bd877579b8c653a352536b7b58a636f072793b1608d80db96d47a8f2dab1c88c96e7ed6651faf5dca163f2846dca035e5f9e9e5d596880c4fc6b77767488427b61fb068dbacbf77b090b8a2c91c325d02ba2543814247bbd8e18f0c0c465fee46336b031482d37ecd8faf90d68e247d4042b46a6a17c69597e1f238cda7edb4274093df72a9b8c666633738642230a23bf1b9c87bc8fb293aab1a72d206124ef682d4236f3ec393e5d8b6c0dedc2316d61330b7a09a0e2c5506007001cfea391d80db88f7a520b85bfd3126698f2d0a61833a47a613542c1ee3ed44cabc6a1f280e51d9de0e9f75cd0e0395caf9c5a92a2dfe41a4a147ae0dc2f93966334a5be18428596c7d941776e44582ad7020fdd26f63a8d7faa033fa37cbf7b2659eda506f3fe4a7f38e5d58329770232ee7fdc4159b9c278f32ed17ad58813129111a9bd4fc6c9528c74e0507a6fd1dbc19e2e8b7b9118a2d701252858d8c334a0ffc9992e06370daa594476307e758c7315f053d3655fe83b2e8a6add7e9e6027488745cda34db90d26d510a23d623 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 0f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b050b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 040000000100000010000000d63981c6527e9669fcfcca66ed05f296030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e1d000000010000001000000054e2cd85ba79cda018fed9e6a863aa461400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b276200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f553000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000132020004700320000000f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b052000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b688518680400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 19000000010000001000000060e2dc65295f1062e558f3fef235ed3c0f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b050b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e040000000100000010000000d63981c6527e9669fcfcca66ed05f2962000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c0000000100000004000000000800000400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe

"C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 52.109.12.20:443 tcp
US 52.109.12.20:443 tcp
US 8.8.8.8:53 trainiumacademy.com udp
SG 35.213.151.161:443 trainiumacademy.com tcp
US 8.8.8.8:53 elliemaccreative.wordpress.com udp
US 192.0.78.13:443 elliemaccreative.wordpress.com tcp
US 8.8.8.8:53 ronielyn.com udp
US 8.8.8.8:53 kompresory-opravy.com udp
SK 37.9.175.133:443 kompresory-opravy.com tcp
US 8.8.8.8:53 mondolandscapes.com udp
CA 104.152.168.18:443 mondolandscapes.com tcp
US 8.8.8.8:53 biodentify.ai udp
NL 167.71.72.208:443 biodentify.ai tcp
US 8.8.8.8:53 ruggestar.ch udp
CH 92.43.216.137:443 ruggestar.ch tcp
US 8.8.8.8:53 chris-anne.com udp
US 192.124.249.118:443 chris-anne.com tcp
US 8.8.8.8:53 happylublog.wordpress.com udp
US 192.0.78.13:443 happylublog.wordpress.com tcp
US 8.8.8.8:53 rarefoods.ro udp
US 8.8.8.8:53 fazagostar.co udp
IR 89.42.209.236:443 fazagostar.co tcp
US 8.8.8.8:53 auto-opel.ro udp
RO 185.165.185.192:443 auto-opel.ro tcp
US 8.8.8.8:53 maryairbnb.wordpress.com udp
US 192.0.78.12:443 maryairbnb.wordpress.com tcp
US 8.8.8.8:53 jacquesgarcianoto.com udp
US 8.8.8.8:53 makingmillionaires.net udp
US 8.8.8.8:53 precisetemp.com udp
US 162.213.253.35:443 precisetemp.com tcp
US 8.8.8.8:53 smarttourism.academy udp
US 8.8.8.8:53 fitnessblenderstory.com udp
US 8.8.8.8:53 newonestop.com udp
DE 161.97.115.17:443 newonestop.com tcp
DE 161.97.115.17:443 newonestop.com tcp
US 8.8.8.8:53 mgimalta.com udp
US 162.159.135.42:443 mgimalta.com tcp
US 8.8.8.8:53 schluesseldienste-hannover.de udp
DE 85.214.159.1:443 schluesseldienste-hannover.de tcp
US 8.8.8.8:53 craftstone.co.nz udp
NZ 103.96.117.53:443 craftstone.co.nz tcp
US 8.8.8.8:53 customroasts.com udp
US 35.209.109.205:443 customroasts.com tcp
US 8.8.8.8:53 kerstliedjeszingen.nl udp
NL 193.34.167.86:443 kerstliedjeszingen.nl tcp
US 8.8.8.8:53 powershell.su udp
DE 54.38.34.173:443 powershell.su tcp
US 8.8.8.8:53 teutoradio.de udp
DE 217.160.0.51:443 teutoradio.de tcp
US 8.8.8.8:53 boyfriendsgoal.site udp
US 8.8.8.8:53 dogsunlimitedguide.com udp
US 188.114.96.0:443 dogsunlimitedguide.com tcp
US 8.8.8.8:53 tecleados.com udp
US 69.46.28.138:443 tecleados.com tcp
US 8.8.8.8:53 epicjapanart.com udp
US 8.8.8.8:53 3daywebs.com udp
US 152.44.33.230:443 3daywebs.com tcp
US 8.8.8.8:53 jollity.hu udp
HU 185.33.54.20:443 jollity.hu tcp
US 8.8.8.8:53 baptistdistinctives.org udp
US 173.236.197.54:443 baptistdistinctives.org tcp
US 8.8.8.8:53 www.baptistdistinctives.org udp
US 173.236.197.54:443 www.baptistdistinctives.org tcp
US 8.8.8.8:53 der-stempelking.de udp
US 8.8.8.8:53 vvego.com udp
US 35.209.63.93:443 vvego.com tcp
US 35.209.63.93:443 vvego.com tcp
US 8.8.8.8:53 blueridgeheritage.com udp
US 104.244.120.67:443 blueridgeheritage.com tcp
US 8.8.8.8:53 pisofare.co udp
US 172.67.198.48:443 pisofare.co tcp
US 8.8.8.8:53 cmeow.com udp
CA 165.227.40.200:443 cmeow.com tcp
US 8.8.8.8:53 xn--80addfr4ahr.dp.ua udp
UA 185.104.45.19:443 xn--80addfr4ahr.dp.ua tcp
US 8.8.8.8:53 rolleepollee.com udp
US 162.212.130.27:443 rolleepollee.com tcp
US 8.8.8.8:53 kickittickets.com udp
US 35.209.160.138:443 kickittickets.com tcp
US 8.8.8.8:53 kryddersnapsen.dk udp
US 104.21.45.164:443 kryddersnapsen.dk tcp
US 104.21.45.164:443 kryddersnapsen.dk tcp
US 8.8.8.8:53 kenmccallum.com udp
US 104.21.76.147:443 kenmccallum.com tcp
US 8.8.8.8:53 cc-experts.de udp
FR 5.175.14.108:443 cc-experts.de tcp
US 8.8.8.8:53 amco.net.au udp
US 104.26.1.12:443 amco.net.au tcp
US 8.8.8.8:53 smartspeak.com udp
AU 35.201.0.0:443 smartspeak.com tcp
US 8.8.8.8:53 christianscholz.de udp
DE 62.108.32.132:443 christianscholz.de tcp
US 8.8.8.8:53 hutchstyle.co.uk udp
GB 51.195.234.92:443 hutchstyle.co.uk tcp
US 8.8.8.8:53 onlinemarketingsurgery.co.uk udp
US 104.21.52.187:443 onlinemarketingsurgery.co.uk tcp
US 8.8.8.8:53 golfclublandgoednieuwkerk.nl udp
NL 77.94.248.219:443 golfclublandgoednieuwkerk.nl tcp
US 8.8.8.8:53 qrs-international.com udp
CH 194.56.189.177:443 qrs-international.com tcp
US 8.8.8.8:53 markseymourphotography.co.uk udp
GB 51.89.152.167:443 markseymourphotography.co.uk tcp
US 8.8.8.8:53 encounter-p.net udp
JP 150.95.55.170:443 encounter-p.net tcp
US 8.8.8.8:53 premier-iowa.com udp
US 45.60.150.56:443 premier-iowa.com tcp
US 8.8.8.8:53 citydogslife.com udp
US 50.16.49.81:443 citydogslife.com tcp
US 8.8.8.8:53 mike.matthies.de udp
DE 81.18.99.16:443 mike.matthies.de tcp
US 8.8.8.8:53 digitale-elite.de udp
US 104.21.85.80:443 digitale-elite.de tcp
US 8.8.8.8:53 www.digitale-elite.com udp
US 104.21.94.35:443 www.digitale-elite.com tcp
US 8.8.8.8:53 housesofwa.com udp
US 67.227.153.112:443 housesofwa.com tcp
US 8.8.8.8:53 stanleyqualitysystems.com udp
US 67.20.76.129:443 stanleyqualitysystems.com tcp
US 8.8.8.8:53 beandrivingschool.com.au udp
AU 202.87.31.222:443 beandrivingschool.com.au tcp
US 8.8.8.8:53 frimec-international.es udp
FR 188.165.33.133:443 frimec-international.es tcp
US 8.8.8.8:53 sochi-okna23.ru udp
RU 78.110.50.104:443 sochi-okna23.ru tcp
US 8.8.8.8:53 ox-home.com udp
DE 217.160.0.83:443 ox-home.com tcp
US 8.8.8.8:53 michal-s.co.il udp
US 192.81.213.222:443 michal-s.co.il tcp
BE 193.30.110.118:443 affligemsehondenschool.be tcp
US 8.8.8.8:53 slotspinner.com udp
US 172.67.149.199:443 slotspinner.com tcp
US 8.8.8.8:53 computer-place.de udp
DE 85.214.125.43:443 computer-place.de tcp
US 8.8.8.8:53 nevadaruralhousingstudies.org udp
US 70.32.84.9:443 nevadaruralhousingstudies.org tcp
US 8.8.8.8:53 marcandy.com udp
US 3.140.179.210:443 marcandy.com tcp
US 52.14.173.103:443 marcandy.com tcp
US 3.138.251.142:443 marcandy.com tcp
US 8.8.8.8:53 centuryvisionglobal.com udp
US 100.21.76.30:443 centuryvisionglobal.com tcp
US 8.8.8.8:53 amyandzac.com udp
US 50.116.63.19:443 amyandzac.com tcp
US 8.8.8.8:53 globalcompliancenews.com udp
US 23.100.43.208:443 globalcompliancenews.com tcp
US 8.8.8.8:53 ramirezprono.com udp
US 172.67.128.19:443 ramirezprono.com tcp
US 8.8.8.8:53 lidkopingsnytt.nu udp
SE 185.35.236.51:443 lidkopingsnytt.nu tcp
US 8.8.8.8:53 smartmind.net udp
ES 82.98.154.79:443 smartmind.net tcp
US 8.8.8.8:53 kartuindonesia.com udp
SG 151.106.118.140:443 kartuindonesia.com tcp
US 8.8.8.8:53 ntinasfiloxenia.gr udp
FI 95.216.12.233:443 ntinasfiloxenia.gr tcp
US 8.8.8.8:53 queertube.net udp
US 104.21.37.59:443 queertube.net tcp
US 8.8.8.8:53 lollachiro.com udp
US 104.21.5.43:443 lollachiro.com tcp
US 8.8.8.8:53 www.lollachiro.com udp
US 172.67.132.243:443 www.lollachiro.com tcp
US 8.8.8.8:53 leloupblanc.gr udp
US 8.8.8.8:53 cainlaw-okc.com udp
US 54.175.148.58:443 cainlaw-okc.com tcp
US 8.8.8.8:53 rizplakatjaya.com udp
US 104.21.31.140:443 rizplakatjaya.com tcp
US 8.8.8.8:53 zdrowieszczecin.pl udp
PL 46.242.240.248:443 zdrowieszczecin.pl tcp
US 8.8.8.8:53 thehovecounsellingpractice.co.uk udp
US 170.39.76.102:443 thehovecounsellingpractice.co.uk tcp
US 8.8.8.8:53 lifeinbreaths.com udp
US 66.235.200.145:443 lifeinbreaths.com tcp
US 8.8.8.8:53 nxtstg.org udp
DE 78.47.106.17:443 nxtstg.org tcp
US 8.8.8.8:53 vitale-arbeitskultur.denews udp
US 8.8.8.8:53 jobscore.com udp
US 104.20.3.245:443 jobscore.com tcp
US 8.8.8.8:53 shrinkingplanet.com udp
US 104.26.10.49:443 shrinkingplanet.com tcp
US 8.8.8.8:53 voetbalhoogeveen.nl udp
US 8.8.8.8:53 patriotcleaning.net udp
US 104.21.39.31:443 patriotcleaning.net tcp
US 8.8.8.8:53 pro-gamer.pl udp
DE 195.201.109.119:443 pro-gamer.pl tcp
DE 195.201.109.119:443 pro-gamer.pl tcp
US 8.8.8.8:53 jeanmonti.com udp
US 162.144.22.120:443 jeanmonti.com tcp
US 8.8.8.8:53 animation-pro.co.uk udp
US 8.8.8.8:53 saint-malo-developpement.fr udp
FR 51.68.23.33:443 saint-malo-developpement.fr tcp
US 8.8.8.8:53 www.saint-malo-developpement.fr udp
FR 51.68.23.33:443 www.saint-malo-developpement.fr tcp
US 8.8.8.8:53 bringmehope.org udp
US 107.154.147.92:443 bringmehope.org tcp
US 8.8.8.8:53 pajagus.fr udp
FR 107.191.63.1:443 pajagus.fr tcp
US 8.8.8.8:53 atrgroup.it udp
DE 185.53.177.14:443 atrgroup.it tcp
US 8.8.8.8:53 proffteplo.com udp
ES 185.107.227.241:443 proffteplo.com tcp
US 8.8.8.8:53 spirello.nl udp
NL 95.170.72.128:443 spirello.nl tcp
US 8.8.8.8:53 arearugcleaningnyc.com udp
US 108.178.17.142:443 arearugcleaningnyc.com tcp
US 8.8.8.8:53 hotjapaneselesbian.com udp
US 8.8.8.8:53 benchbiz.com udp
US 75.127.74.35:443 benchbiz.com tcp
US 8.8.8.8:53 outstandingminialbums.com udp
US 159.203.65.67:443 outstandingminialbums.com tcp
US 8.8.8.8:53 catalyseurdetransformation.com udp
FR 46.105.57.169:443 catalyseurdetransformation.com tcp
US 8.8.8.8:53 fsbforsale.com udp
US 8.8.8.8:53 dantreranch.com udp
US 50.116.22.24:443 dantreranch.com tcp
US 8.8.8.8:53 rentsportsequip.com udp
FR 62.138.184.187:443 rentsportsequip.com tcp
US 8.8.8.8:53 scotlandsroute66.co.uk udp
FR 92.204.68.14:443 scotlandsroute66.co.uk tcp
US 8.8.8.8:53 molinum.pt udp
US 8.8.8.8:53 osn.ro udp
DE 46.101.224.150:443 osn.ro tcp
US 8.8.8.8:53 eshop.design udp
DE 64.190.62.111:443 eshop.design tcp
US 8.8.8.8:53 dennisverschuur.com udp
DK 46.30.215.120:443 dennisverschuur.com tcp
US 8.8.8.8:53 buerocenter-butzbach-werbemittel.de udp
US 8.8.8.8:53 leansupremegarcinia.net udp
US 8.8.8.8:53 fbmagazine.ru udp
US 8.8.8.8:53 mieleshopping.it udp
NL 35.214.166.193:443 mieleshopping.it tcp
US 8.8.8.8:53 www.mieleshopping.it udp
US 104.21.72.45:443 www.mieleshopping.it tcp
US 8.8.8.8:53 k-zubki.ru udp
GB 185.215.4.16:443 k-zubki.ru tcp
US 8.8.8.8:53 ncjc.ca udp
CA 54.39.73.56:443 ncjc.ca tcp
US 8.8.8.8:53 jonnyhooley.com udp
GB 35.214.94.12:443 jonnyhooley.com tcp
US 8.8.8.8:53 thegrinningmanmusical.com udp
GB 83.136.249.218:443 thegrinningmanmusical.com tcp
US 8.8.8.8:53 denhaagfoodie.nl udp
NL 185.232.250.194:443 denhaagfoodie.nl tcp
US 8.8.8.8:53 www.denhaagfoodie.nl udp
NL 185.232.250.194:443 www.denhaagfoodie.nl tcp
US 8.8.8.8:53 nauticmarine.dk udp
DK 185.221.38.106:443 nauticmarine.dk tcp
US 8.8.8.8:53 orchardbrickwork.com udp
GB 109.108.130.72:443 orchardbrickwork.com tcp
US 8.8.8.8:53 atma.nl udp
US 8.8.8.8:53 orchardbrickwork.com udp
US 8.8.8.8:53 latableacrepes-meaux.fr udp
US 8.8.8.8:53 aidanpublishing.co.uk udp
GB 77.72.0.142:443 aidanpublishing.co.uk tcp
US 8.8.8.8:53 uci-france.fr udp
FR 213.186.33.18:443 uci-france.fr tcp
US 8.8.8.8:53 landgoedspica.nl udp
DE 83.169.37.227:443 landgoedspica.nl tcp
US 8.8.8.8:53 annida.it udp
GB 185.2.4.123:443 annida.it tcp
US 8.8.8.8:53 direitapernambuco.com udp
US 8.8.8.8:53 elex.is udp
SI 194.249.231.96:443 elex.is tcp
US 8.8.8.8:53 bodet150ans.com udp
FR 213.186.33.24:443 bodet150ans.com tcp
US 8.8.8.8:53 tetameble.pl udp
PL 109.95.157.35:443 tetameble.pl tcp
US 8.8.8.8:53 t3brothers.com udp
US 8.8.8.8:53 clemenfoto.dk udp
DK 46.30.215.230:443 clemenfoto.dk tcp
US 8.8.8.8:53 welovecustomers.fr udp
FR 51.15.236.35:443 welovecustomers.fr tcp
US 8.8.8.8:53 www.welovecustomers.fr udp
NL 65.9.82.56:443 www.welovecustomers.fr tcp
US 8.8.8.8:53 charlesfrancis.photos udp
FR 92.205.7.181:443 charlesfrancis.photos tcp
US 8.8.8.8:53 circlecitydj.com udp
US 172.67.207.66:443 circlecitydj.com tcp
US 8.8.8.8:53 encoreentertainment.net udp
US 162.159.135.42:443 encoreentertainment.net tcp
US 162.159.135.42:443 encoreentertainment.net tcp
US 8.8.8.8:53 mrcar.nl udp
NL 37.34.48.68:443 mrcar.nl tcp
US 8.8.8.8:53 factoriareloj.com udp
US 8.8.8.8:53 2020hindsight.info udp
US 8.8.8.8:53 worldproskitour.com udp
US 35.185.71.154:443 worldproskitour.com tcp
US 8.8.8.8:53 guohedd.com udp
US 8.8.8.8:53 sambaglow.com udp
US 72.167.241.134:443 sambaglow.com tcp
US 72.167.241.134:443 sambaglow.com tcp
US 72.167.241.134:443 sambaglow.com tcp
US 72.167.241.134:443 sambaglow.com tcp
US 8.8.8.8:53 omnicademy.com udp
US 13.56.33.8:443 omnicademy.com tcp
US 8.8.8.8:53 www.brandbucket.com udp
US 172.67.4.41:443 www.brandbucket.com tcp
US 8.8.8.8:53 ultimatelifesource.com udp
GB 87.254.25.84:443 ultimatelifesource.com tcp
US 8.8.8.8:53 luvinsburger.fr udp
FR 188.165.53.185:443 luvinsburger.fr tcp
FR 188.165.53.185:443 luvinsburger.fr tcp
US 8.8.8.8:53 mneti.ru udp
RU 95.165.137.165:443 mneti.ru tcp
US 8.8.8.8:53 asiaartgallery.jp udp
JP 162.43.117.14:443 asiaartgallery.jp tcp
US 8.8.8.8:53 udp
N/A 46.30.215.191:443 tcp
US 8.8.8.8:53 udp
N/A 104.26.12.244:443 tcp

Files

N/A