Analysis Overview
SHA256
c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97
Threat Level: Known bad
The file c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97 was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Sodinokibi/Revil sample
suricata: ET MALWARE Known Sinkhole Response Header
Sodin,Sodinokibi,REvil
Deletes shadow copies
Modifies extensions of user files
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-24 01:06
Signatures
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-24 01:06
Reported
2022-01-24 01:23
Platform
win7-en-20211208
Max time kernel
147s
Max time network
179s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\InvokeUnblock.tif => \??\c:\users\admin\pictures\InvokeUnblock.tif.xa6c4m2u | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RevokeEnter.tif => \??\c:\users\admin\pictures\RevokeEnter.tif.xa6c4m2u | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\p543q.bmp" | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe
"C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trainiumacademy.com | udp |
| SG | 35.213.151.161:443 | trainiumacademy.com | tcp |
| SG | 35.213.151.161:443 | trainiumacademy.com | tcp |
| US | 8.8.8.8:53 | elliemaccreative.wordpress.com | udp |
| US | 192.0.78.12:443 | elliemaccreative.wordpress.com | tcp |
| US | 192.0.78.12:443 | elliemaccreative.wordpress.com | tcp |
| US | 8.8.8.8:53 | ronielyn.com | udp |
| US | 8.8.8.8:53 | kompresory-opravy.com | udp |
| SK | 37.9.175.133:443 | kompresory-opravy.com | tcp |
| SK | 37.9.175.133:443 | kompresory-opravy.com | tcp |
| US | 8.8.8.8:53 | mondolandscapes.com | udp |
| CA | 104.152.168.18:443 | mondolandscapes.com | tcp |
| CA | 104.152.168.18:443 | mondolandscapes.com | tcp |
| US | 8.8.8.8:53 | biodentify.ai | udp |
| NL | 167.71.72.208:443 | biodentify.ai | tcp |
| NL | 167.71.72.208:443 | biodentify.ai | tcp |
| US | 8.8.8.8:53 | ruggestar.ch | udp |
| CH | 92.43.216.137:443 | ruggestar.ch | tcp |
| US | 8.8.8.8:53 | chris-anne.com | udp |
| US | 192.124.249.118:443 | chris-anne.com | tcp |
| US | 192.124.249.118:443 | chris-anne.com | tcp |
| US | 8.8.8.8:53 | happylublog.wordpress.com | udp |
| US | 192.0.78.12:443 | happylublog.wordpress.com | tcp |
| US | 192.0.78.12:443 | happylublog.wordpress.com | tcp |
| US | 8.8.8.8:53 | rarefoods.ro | udp |
| US | 8.8.8.8:53 | fazagostar.co | udp |
| IR | 89.42.209.236:443 | fazagostar.co | tcp |
| IR | 89.42.209.236:443 | fazagostar.co | tcp |
| US | 8.8.8.8:53 | auto-opel.ro | udp |
| RO | 185.165.185.192:443 | auto-opel.ro | tcp |
| RO | 185.165.185.192:443 | auto-opel.ro | tcp |
| US | 8.8.8.8:53 | maryairbnb.wordpress.com | udp |
| US | 192.0.78.12:443 | maryairbnb.wordpress.com | tcp |
| US | 192.0.78.12:443 | maryairbnb.wordpress.com | tcp |
| US | 8.8.8.8:53 | jacquesgarcianoto.com | udp |
| US | 8.8.8.8:53 | makingmillionaires.net | udp |
| US | 8.8.8.8:53 | precisetemp.com | udp |
| US | 162.213.253.35:443 | precisetemp.com | tcp |
| US | 162.213.253.35:443 | precisetemp.com | tcp |
| US | 8.8.8.8:53 | smarttourism.academy | udp |
| US | 8.8.8.8:53 | fitnessblenderstory.com | udp |
| US | 8.8.8.8:53 | newonestop.com | udp |
| DE | 161.97.115.17:443 | newonestop.com | tcp |
| DE | 161.97.115.17:443 | newonestop.com | tcp |
| US | 8.8.8.8:53 | mgimalta.com | udp |
| US | 162.159.134.42:443 | mgimalta.com | tcp |
| US | 162.159.134.42:443 | mgimalta.com | tcp |
| US | 8.8.8.8:53 | schluesseldienste-hannover.de | udp |
| DE | 85.214.159.1:443 | schluesseldienste-hannover.de | tcp |
| US | 8.8.8.8:53 | craftstone.co.nz | udp |
| NZ | 103.96.117.53:443 | craftstone.co.nz | tcp |
| NZ | 103.96.117.53:443 | craftstone.co.nz | tcp |
| US | 8.8.8.8:53 | customroasts.com | udp |
| US | 35.209.109.205:443 | customroasts.com | tcp |
| US | 35.209.109.205:443 | customroasts.com | tcp |
| US | 8.8.8.8:53 | kerstliedjeszingen.nl | udp |
| NL | 193.34.167.86:443 | kerstliedjeszingen.nl | tcp |
| NL | 193.34.167.86:443 | kerstliedjeszingen.nl | tcp |
| US | 8.8.8.8:53 | powershell.su | udp |
| DE | 54.38.34.173:443 | powershell.su | tcp |
| DE | 54.38.34.173:443 | powershell.su | tcp |
| US | 8.8.8.8:53 | teutoradio.de | udp |
| DE | 217.160.0.51:443 | teutoradio.de | tcp |
| DE | 217.160.0.51:443 | teutoradio.de | tcp |
| US | 8.8.8.8:53 | boyfriendsgoal.site | udp |
| US | 8.8.8.8:53 | dogsunlimitedguide.com | udp |
| US | 188.114.96.0:443 | dogsunlimitedguide.com | tcp |
| US | 8.8.8.8:53 | tecleados.com | udp |
| US | 69.46.28.138:443 | tecleados.com | tcp |
| US | 69.46.28.138:443 | tecleados.com | tcp |
| US | 8.8.8.8:53 | epicjapanart.com | udp |
| US | 8.8.8.8:53 | 3daywebs.com | udp |
| US | 152.44.33.230:443 | 3daywebs.com | tcp |
| US | 152.44.33.230:443 | 3daywebs.com | tcp |
| US | 8.8.8.8:53 | jollity.hu | udp |
| HU | 185.33.54.20:443 | jollity.hu | tcp |
| HU | 185.33.54.20:443 | jollity.hu | tcp |
| US | 8.8.8.8:53 | baptistdistinctives.org | udp |
| US | 173.236.197.54:443 | baptistdistinctives.org | tcp |
| US | 173.236.197.54:443 | baptistdistinctives.org | tcp |
| US | 8.8.8.8:53 | der-stempelking.de | udp |
| US | 8.8.8.8:53 | vvego.com | udp |
| US | 35.209.63.93:443 | vvego.com | tcp |
| US | 35.209.63.93:443 | vvego.com | tcp |
| US | 8.8.8.8:53 | blueridgeheritage.com | udp |
| US | 104.244.120.67:443 | blueridgeheritage.com | tcp |
| US | 8.8.8.8:53 | pisofare.co | udp |
| US | 172.67.198.48:443 | pisofare.co | tcp |
| US | 8.8.8.8:53 | cmeow.com | udp |
| CA | 165.227.40.200:443 | cmeow.com | tcp |
| CA | 165.227.40.200:443 | cmeow.com | tcp |
| US | 8.8.8.8:53 | xn--80addfr4ahr.dp.ua | udp |
| UA | 185.104.45.19:443 | xn--80addfr4ahr.dp.ua | tcp |
| US | 8.8.8.8:53 | rolleepollee.com | udp |
| US | 162.212.130.27:443 | rolleepollee.com | tcp |
| US | 8.8.8.8:53 | kickittickets.com | udp |
| US | 35.209.160.138:443 | kickittickets.com | tcp |
| US | 35.209.160.138:443 | kickittickets.com | tcp |
| US | 8.8.8.8:53 | kryddersnapsen.dk | udp |
| US | 104.21.45.164:443 | kryddersnapsen.dk | tcp |
| US | 104.21.45.164:443 | kryddersnapsen.dk | tcp |
| US | 8.8.8.8:53 | kenmccallum.com | udp |
| US | 172.67.196.62:443 | kenmccallum.com | tcp |
| US | 172.67.196.62:443 | kenmccallum.com | tcp |
| US | 8.8.8.8:53 | cc-experts.de | udp |
| FR | 5.175.14.108:443 | cc-experts.de | tcp |
| FR | 5.175.14.108:443 | cc-experts.de | tcp |
| US | 8.8.8.8:53 | amco.net.au | udp |
| US | 104.26.1.12:443 | amco.net.au | tcp |
| US | 8.8.8.8:53 | smartspeak.com | udp |
| AU | 35.201.0.0:443 | smartspeak.com | tcp |
| US | 8.8.8.8:53 | christianscholz.de | udp |
| DE | 62.108.32.132:443 | christianscholz.de | tcp |
| DE | 62.108.32.132:443 | christianscholz.de | tcp |
| US | 8.8.8.8:53 | hutchstyle.co.uk | udp |
| GB | 51.195.234.92:443 | hutchstyle.co.uk | tcp |
| GB | 51.195.234.92:443 | hutchstyle.co.uk | tcp |
| US | 8.8.8.8:53 | onlinemarketingsurgery.co.uk | udp |
| US | 104.21.52.187:443 | onlinemarketingsurgery.co.uk | tcp |
| US | 8.8.8.8:53 | golfclublandgoednieuwkerk.nl | udp |
| NL | 77.94.248.219:443 | golfclublandgoednieuwkerk.nl | tcp |
| NL | 77.94.248.219:443 | golfclublandgoednieuwkerk.nl | tcp |
| US | 8.8.8.8:53 | qrs-international.com | udp |
| CH | 194.56.189.177:443 | qrs-international.com | tcp |
| CH | 194.56.189.177:443 | qrs-international.com | tcp |
| US | 8.8.8.8:53 | markseymourphotography.co.uk | udp |
| GB | 51.89.152.167:443 | markseymourphotography.co.uk | tcp |
| GB | 51.89.152.167:443 | markseymourphotography.co.uk | tcp |
| US | 8.8.8.8:53 | encounter-p.net | udp |
| JP | 150.95.55.170:443 | encounter-p.net | tcp |
| US | 8.8.8.8:53 | premier-iowa.com | udp |
| US | 45.60.150.56:443 | premier-iowa.com | tcp |
| US | 45.60.150.56:443 | premier-iowa.com | tcp |
| US | 8.8.8.8:53 | citydogslife.com | udp |
| US | 50.16.49.81:443 | citydogslife.com | tcp |
| US | 8.8.8.8:53 | mike.matthies.de | udp |
| DE | 81.18.99.16:443 | mike.matthies.de | tcp |
| DE | 81.18.99.16:443 | mike.matthies.de | tcp |
| US | 8.8.8.8:53 | digitale-elite.de | udp |
| US | 104.21.85.80:443 | digitale-elite.de | tcp |
| US | 8.8.8.8:53 | www.digitale-elite.com | udp |
| US | 104.21.94.35:443 | www.digitale-elite.com | tcp |
| US | 8.8.8.8:53 | housesofwa.com | udp |
| US | 67.227.153.112:443 | housesofwa.com | tcp |
| US | 67.227.153.112:443 | housesofwa.com | tcp |
| US | 8.8.8.8:53 | stanleyqualitysystems.com | udp |
| US | 67.20.76.129:443 | stanleyqualitysystems.com | tcp |
| US | 67.20.76.129:443 | stanleyqualitysystems.com | tcp |
| AU | 202.87.31.222:443 | beandrivingschool.com.au | tcp |
| US | 8.8.8.8:53 | frimec-international.es | udp |
| FR | 188.165.33.133:443 | frimec-international.es | tcp |
| US | 8.8.8.8:53 | sochi-okna23.ru | udp |
| RU | 78.110.50.104:443 | sochi-okna23.ru | tcp |
| RU | 78.110.50.104:443 | sochi-okna23.ru | tcp |
| US | 8.8.8.8:53 | ox-home.com | udp |
| DE | 217.160.0.83:443 | ox-home.com | tcp |
| DE | 217.160.0.83:443 | ox-home.com | tcp |
| US | 8.8.8.8:53 | michal-s.co.il | udp |
| US | 192.81.213.222:443 | michal-s.co.il | tcp |
| US | 8.8.8.8:53 | affligemsehondenschool.be | udp |
| BE | 193.30.110.118:443 | affligemsehondenschool.be | tcp |
| US | 8.8.8.8:53 | slotspinner.com | udp |
| US | 104.21.29.202:443 | slotspinner.com | tcp |
| US | 8.8.8.8:53 | computer-place.de | udp |
| DE | 85.214.125.43:443 | computer-place.de | tcp |
| DE | 85.214.125.43:443 | computer-place.de | tcp |
| US | 8.8.8.8:53 | nevadaruralhousingstudies.org | udp |
| US | 70.32.84.9:443 | nevadaruralhousingstudies.org | tcp |
| US | 8.8.8.8:53 | marcandy.com | udp |
| US | 3.138.251.142:443 | marcandy.com | tcp |
| US | 52.14.173.103:443 | marcandy.com | tcp |
| US | 3.140.179.210:443 | marcandy.com | tcp |
| US | 8.8.8.8:53 | centuryvisionglobal.com | udp |
| US | 100.21.76.30:443 | centuryvisionglobal.com | tcp |
| US | 100.21.76.30:443 | centuryvisionglobal.com | tcp |
| US | 8.8.8.8:53 | amyandzac.com | udp |
| US | 50.116.63.19:443 | amyandzac.com | tcp |
| US | 50.116.63.19:443 | amyandzac.com | tcp |
| US | 8.8.8.8:53 | globalcompliancenews.com | udp |
| US | 23.100.43.208:443 | globalcompliancenews.com | tcp |
| US | 23.100.43.208:443 | globalcompliancenews.com | tcp |
| US | 8.8.8.8:53 | ramirezprono.com | udp |
| US | 104.21.0.143:443 | ramirezprono.com | tcp |
| US | 8.8.8.8:53 | lidkopingsnytt.nu | udp |
| SE | 185.35.236.51:443 | lidkopingsnytt.nu | tcp |
| SE | 185.35.236.51:443 | lidkopingsnytt.nu | tcp |
| US | 8.8.8.8:53 | smartmind.net | udp |
| ES | 82.98.154.79:443 | smartmind.net | tcp |
| US | 8.8.8.8:53 | kartuindonesia.com | udp |
| SG | 151.106.118.140:443 | kartuindonesia.com | tcp |
| US | 8.8.8.8:53 | ntinasfiloxenia.gr | udp |
| FI | 95.216.12.233:443 | ntinasfiloxenia.gr | tcp |
| FI | 95.216.12.233:443 | ntinasfiloxenia.gr | tcp |
| US | 8.8.8.8:53 | queertube.net | udp |
| US | 172.67.205.1:443 | queertube.net | tcp |
| US | 8.8.8.8:53 | lollachiro.com | udp |
| US | 172.67.132.243:443 | lollachiro.com | tcp |
| US | 8.8.8.8:53 | leloupblanc.gr | udp |
| US | 8.8.8.8:53 | cainlaw-okc.com | udp |
| US | 54.175.148.58:443 | cainlaw-okc.com | tcp |
| US | 8.8.8.8:53 | rizplakatjaya.com | udp |
| US | 104.21.31.140:443 | rizplakatjaya.com | tcp |
| US | 8.8.8.8:53 | zdrowieszczecin.pl | udp |
| PL | 46.242.240.248:443 | zdrowieszczecin.pl | tcp |
| PL | 46.242.240.248:443 | zdrowieszczecin.pl | tcp |
| US | 8.8.8.8:53 | thehovecounsellingpractice.co.uk | udp |
| US | 170.39.76.102:443 | thehovecounsellingpractice.co.uk | tcp |
| US | 170.39.76.102:443 | thehovecounsellingpractice.co.uk | tcp |
| US | 8.8.8.8:53 | lifeinbreaths.com | udp |
| US | 66.235.200.145:443 | lifeinbreaths.com | tcp |
| US | 8.8.8.8:53 | nxtstg.org | udp |
| DE | 78.47.106.17:443 | nxtstg.org | tcp |
| US | 8.8.8.8:53 | vitale-arbeitskultur.destatic | udp |
| US | 8.8.8.8:53 | jobscore.com | udp |
| US | 104.20.3.245:443 | jobscore.com | tcp |
| US | 104.20.3.245:443 | jobscore.com | tcp |
| US | 8.8.8.8:53 | shrinkingplanet.com | udp |
| US | 104.26.11.49:443 | shrinkingplanet.com | tcp |
| US | 8.8.8.8:53 | voetbalhoogeveen.nl | udp |
| US | 8.8.8.8:53 | patriotcleaning.net | udp |
| US | 104.21.39.31:443 | patriotcleaning.net | tcp |
| US | 8.8.8.8:53 | pro-gamer.pl | udp |
| DE | 195.201.109.119:443 | pro-gamer.pl | tcp |
| DE | 195.201.109.119:443 | pro-gamer.pl | tcp |
| US | 8.8.8.8:53 | jeanmonti.com | udp |
| US | 162.144.22.120:443 | jeanmonti.com | tcp |
| US | 162.144.22.120:443 | jeanmonti.com | tcp |
| US | 8.8.8.8:53 | animation-pro.co.uk | udp |
| US | 8.8.8.8:53 | saint-malo-developpement.fr | udp |
| FR | 51.68.23.33:443 | saint-malo-developpement.fr | tcp |
| FR | 51.68.23.33:443 | saint-malo-developpement.fr | tcp |
| US | 8.8.8.8:53 | bringmehope.org | udp |
| US | 45.60.97.92:443 | bringmehope.org | tcp |
| US | 45.60.97.92:443 | bringmehope.org | tcp |
| US | 8.8.8.8:53 | pajagus.fr | udp |
| FR | 107.191.63.1:443 | pajagus.fr | tcp |
| US | 8.8.8.8:53 | atrgroup.it | udp |
| DE | 185.53.177.14:443 | atrgroup.it | tcp |
| US | 8.8.8.8:53 | proffteplo.com | udp |
| ES | 185.107.227.241:443 | proffteplo.com | tcp |
| US | 8.8.8.8:53 | spirello.nl | udp |
| NL | 95.170.72.128:443 | spirello.nl | tcp |
| NL | 95.170.72.128:443 | spirello.nl | tcp |
| US | 8.8.8.8:53 | arearugcleaningnyc.com | udp |
| US | 108.178.17.142:443 | arearugcleaningnyc.com | tcp |
| US | 108.178.17.142:443 | arearugcleaningnyc.com | tcp |
| US | 8.8.8.8:53 | hotjapaneselesbian.com | udp |
| US | 8.8.8.8:53 | benchbiz.com | udp |
| US | 75.127.74.35:443 | benchbiz.com | tcp |
| US | 75.127.74.35:443 | benchbiz.com | tcp |
| US | 8.8.8.8:53 | outstandingminialbums.com | udp |
| US | 159.203.65.67:443 | outstandingminialbums.com | tcp |
| US | 8.8.8.8:53 | catalyseurdetransformation.com | udp |
| FR | 46.105.57.169:443 | catalyseurdetransformation.com | tcp |
| US | 8.8.8.8:53 | fsbforsale.com | udp |
| US | 8.8.8.8:53 | dantreranch.com | udp |
| US | 50.116.22.24:443 | dantreranch.com | tcp |
| US | 8.8.8.8:53 | rentsportsequip.com | udp |
| FR | 62.138.184.187:443 | rentsportsequip.com | tcp |
| FR | 62.138.184.187:443 | rentsportsequip.com | tcp |
| US | 8.8.8.8:53 | scotlandsroute66.co.uk | udp |
| FR | 92.204.68.14:443 | scotlandsroute66.co.uk | tcp |
| FR | 92.204.68.14:443 | scotlandsroute66.co.uk | tcp |
| US | 8.8.8.8:53 | molinum.pt | udp |
Files
memory/1876-54-0x0000000076121000-0x0000000076123000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-24 01:06
Reported
2022-01-24 01:23
Platform
win10-en-20211208
Max time kernel
169s
Max time network
184s
Command Line
Signatures
Sodin,Sodinokibi,REvil
suricata: ET MALWARE Known Sinkhole Response Header
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\RedoGet.png => \??\c:\users\admin\pictures\RedoGet.png.k8v6l7fv7x | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9t817m2f38w4.bmp" | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 5c000000010000000400000000080000040000000100000010000000d63981c6527e9669fcfcca66ed05f296030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e1d000000010000001000000054e2cd85ba79cda018fed9e6a863aa461400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b276200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f553000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000132020004700320000000f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b0519000000010000001000000060e2dc65295f1062e558f3fef235ed3c2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734\Blob = 030000000100000014000000247106a405b288a46e70a0262717162d0903e734140000000100000014000000b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea0400000001000000100000001a9a69a81f6da92d87f7694e16d8b8790f00000001000000300000009e9609372f45b5101548e8af9a20e0dbf5932dea9b9af86759c2029bc3b53e306e6491f6b15bf00b1e2dee3bb8d43d2219000000010000001000000043e6fa09a3b9d0de6fbe3aacd184c8fd5c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000ed050000308205e9308203d1a003020102021005e4dc3b9438ab3b8597cba6a19850e3300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3134303931323030303030305a170d3234303931313233353935395a305f310b3009060355040613024652310e300c060355040813055061726973310e300c060355040713055061726973310e300c060355040a130547616e64693120301e0603550403131747616e6469205374616e646172642053534c204341203230820122300d06092a864886f70d01010105000382010f003082010a028201010094042da6799574ffd5003cf5aed894b1297cc08f0b0b89b98283976e3728f5a21acfd2920b9ba8d387947384109fdc35cbc22d92ac21b9cb3bfc40c1c18321f0bff8f69cfa9c8210c0d08e4ee50d4cb0915c90b4a4405116dae484122d055ca11f17192451aa7aeae1071b868d0172f2e7d48323399ee0e14c1f6b22a3b41066b0ed8296d76e6ab4f23fb542fcdd8ab5abba2d1d3a759b31dc3e9dac5bd3410d6cb01bf53af579ea21a2f8f433524b242d1ea499b16d48bcb812fe72707cf7fb0275f48dded6dac0a0321a52df386b2e45383f3f049600fda1f4a2bbd517d6277c1b5859955e8a12fd9cab813e52284851856bf391b2863f29b56e0362eed6050203010001a382017530820171301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b2310102021a3008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201005867fd72b26ad77c6196197ed94346d1267dc853fa66b06b2da7d3aa56f73a88d03b72c950fdf759b2aa68f58c7303bb956517ce2f1cdd9813a291c9eea1406e3c98d65cf3b2223c2dee1ba4e1de202416f28c1173913af6face240287ca93ecb4b6c81617c572fc2740f613fe93a69d51ef3c2bd877579b8c653a352536b7b58a636f072793b1608d80db96d47a8f2dab1c88c96e7ed6651faf5dca163f2846dca035e5f9e9e5d596880c4fc6b77767488427b61fb068dbacbf77b090b8a2c91c325d02ba2543814247bbd8e18f0c0c465fee46336b031482d37ecd8faf90d68e247d4042b46a6a17c69597e1f238cda7edb4274093df72a9b8c666633738642230a23bf1b9c87bc8fb293aab1a72d206124ef682d4236f3ec393e5d8b6c0dedc2316d61330b7a09a0e2c5506007001cfea391d80db88f7a520b85bfd3126698f2d0a61833a47a613542c1ee3ed44cabc6a1f280e51d9de0e9f75cd0e0395caf9c5a92a2dfe41a4a147ae0dc2f93966334a5be18428596c7d941776e44582ad7020fdd26f63a8d7faa033fa37cbf7b2659eda506f3fe4a7f38e5d58329770232ee7fdc4159b9c278f32ed17ad58813129111a9bd4fc6c9528c74e0507a6fd1dbc19e2e8b7b9118a2d701252858d8c334a0ffc9992e06370daa594476307e758c7315f053d3655fe83b2e8a6add7e9e6027488745cda34db90d26d510a23d623 | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 0f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b050b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 040000000100000010000000d63981c6527e9669fcfcca66ed05f296030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e1d000000010000001000000054e2cd85ba79cda018fed9e6a863aa461400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b276200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f553000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000132020004700320000000f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b052000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734 | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b688518680400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 19000000010000001000000060e2dc65295f1062e558f3fef235ed3c0f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b050b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e040000000100000010000000d63981c6527e9669fcfcca66ed05f2962000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c0000000100000004000000000800000400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3532 wrote to memory of 4300 | N/A | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3532 wrote to memory of 4300 | N/A | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3532 wrote to memory of 4300 | N/A | C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4300 wrote to memory of 1700 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 4300 wrote to memory of 1700 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 4300 wrote to memory of 1700 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe
"C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.20:443 | tcp | |
| US | 52.109.12.20:443 | tcp | |
| US | 8.8.8.8:53 | trainiumacademy.com | udp |
| SG | 35.213.151.161:443 | trainiumacademy.com | tcp |
| US | 8.8.8.8:53 | elliemaccreative.wordpress.com | udp |
| US | 192.0.78.13:443 | elliemaccreative.wordpress.com | tcp |
| US | 8.8.8.8:53 | ronielyn.com | udp |
| US | 8.8.8.8:53 | kompresory-opravy.com | udp |
| SK | 37.9.175.133:443 | kompresory-opravy.com | tcp |
| US | 8.8.8.8:53 | mondolandscapes.com | udp |
| CA | 104.152.168.18:443 | mondolandscapes.com | tcp |
| US | 8.8.8.8:53 | biodentify.ai | udp |
| NL | 167.71.72.208:443 | biodentify.ai | tcp |
| US | 8.8.8.8:53 | ruggestar.ch | udp |
| CH | 92.43.216.137:443 | ruggestar.ch | tcp |
| US | 8.8.8.8:53 | chris-anne.com | udp |
| US | 192.124.249.118:443 | chris-anne.com | tcp |
| US | 8.8.8.8:53 | happylublog.wordpress.com | udp |
| US | 192.0.78.13:443 | happylublog.wordpress.com | tcp |
| US | 8.8.8.8:53 | rarefoods.ro | udp |
| US | 8.8.8.8:53 | fazagostar.co | udp |
| IR | 89.42.209.236:443 | fazagostar.co | tcp |
| US | 8.8.8.8:53 | auto-opel.ro | udp |
| RO | 185.165.185.192:443 | auto-opel.ro | tcp |
| US | 8.8.8.8:53 | maryairbnb.wordpress.com | udp |
| US | 192.0.78.12:443 | maryairbnb.wordpress.com | tcp |
| US | 8.8.8.8:53 | jacquesgarcianoto.com | udp |
| US | 8.8.8.8:53 | makingmillionaires.net | udp |
| US | 8.8.8.8:53 | precisetemp.com | udp |
| US | 162.213.253.35:443 | precisetemp.com | tcp |
| US | 8.8.8.8:53 | smarttourism.academy | udp |
| US | 8.8.8.8:53 | fitnessblenderstory.com | udp |
| US | 8.8.8.8:53 | newonestop.com | udp |
| DE | 161.97.115.17:443 | newonestop.com | tcp |
| DE | 161.97.115.17:443 | newonestop.com | tcp |
| US | 8.8.8.8:53 | mgimalta.com | udp |
| US | 162.159.135.42:443 | mgimalta.com | tcp |
| US | 8.8.8.8:53 | schluesseldienste-hannover.de | udp |
| DE | 85.214.159.1:443 | schluesseldienste-hannover.de | tcp |
| US | 8.8.8.8:53 | craftstone.co.nz | udp |
| NZ | 103.96.117.53:443 | craftstone.co.nz | tcp |
| US | 8.8.8.8:53 | customroasts.com | udp |
| US | 35.209.109.205:443 | customroasts.com | tcp |
| US | 8.8.8.8:53 | kerstliedjeszingen.nl | udp |
| NL | 193.34.167.86:443 | kerstliedjeszingen.nl | tcp |
| US | 8.8.8.8:53 | powershell.su | udp |
| DE | 54.38.34.173:443 | powershell.su | tcp |
| US | 8.8.8.8:53 | teutoradio.de | udp |
| DE | 217.160.0.51:443 | teutoradio.de | tcp |
| US | 8.8.8.8:53 | boyfriendsgoal.site | udp |
| US | 8.8.8.8:53 | dogsunlimitedguide.com | udp |
| US | 188.114.96.0:443 | dogsunlimitedguide.com | tcp |
| US | 8.8.8.8:53 | tecleados.com | udp |
| US | 69.46.28.138:443 | tecleados.com | tcp |
| US | 8.8.8.8:53 | epicjapanart.com | udp |
| US | 8.8.8.8:53 | 3daywebs.com | udp |
| US | 152.44.33.230:443 | 3daywebs.com | tcp |
| US | 8.8.8.8:53 | jollity.hu | udp |
| HU | 185.33.54.20:443 | jollity.hu | tcp |
| US | 8.8.8.8:53 | baptistdistinctives.org | udp |
| US | 173.236.197.54:443 | baptistdistinctives.org | tcp |
| US | 8.8.8.8:53 | www.baptistdistinctives.org | udp |
| US | 173.236.197.54:443 | www.baptistdistinctives.org | tcp |
| US | 8.8.8.8:53 | der-stempelking.de | udp |
| US | 8.8.8.8:53 | vvego.com | udp |
| US | 35.209.63.93:443 | vvego.com | tcp |
| US | 35.209.63.93:443 | vvego.com | tcp |
| US | 8.8.8.8:53 | blueridgeheritage.com | udp |
| US | 104.244.120.67:443 | blueridgeheritage.com | tcp |
| US | 8.8.8.8:53 | pisofare.co | udp |
| US | 172.67.198.48:443 | pisofare.co | tcp |
| US | 8.8.8.8:53 | cmeow.com | udp |
| CA | 165.227.40.200:443 | cmeow.com | tcp |
| US | 8.8.8.8:53 | xn--80addfr4ahr.dp.ua | udp |
| UA | 185.104.45.19:443 | xn--80addfr4ahr.dp.ua | tcp |
| US | 8.8.8.8:53 | rolleepollee.com | udp |
| US | 162.212.130.27:443 | rolleepollee.com | tcp |
| US | 8.8.8.8:53 | kickittickets.com | udp |
| US | 35.209.160.138:443 | kickittickets.com | tcp |
| US | 8.8.8.8:53 | kryddersnapsen.dk | udp |
| US | 104.21.45.164:443 | kryddersnapsen.dk | tcp |
| US | 104.21.45.164:443 | kryddersnapsen.dk | tcp |
| US | 8.8.8.8:53 | kenmccallum.com | udp |
| US | 104.21.76.147:443 | kenmccallum.com | tcp |
| US | 8.8.8.8:53 | cc-experts.de | udp |
| FR | 5.175.14.108:443 | cc-experts.de | tcp |
| US | 8.8.8.8:53 | amco.net.au | udp |
| US | 104.26.1.12:443 | amco.net.au | tcp |
| US | 8.8.8.8:53 | smartspeak.com | udp |
| AU | 35.201.0.0:443 | smartspeak.com | tcp |
| US | 8.8.8.8:53 | christianscholz.de | udp |
| DE | 62.108.32.132:443 | christianscholz.de | tcp |
| US | 8.8.8.8:53 | hutchstyle.co.uk | udp |
| GB | 51.195.234.92:443 | hutchstyle.co.uk | tcp |
| US | 8.8.8.8:53 | onlinemarketingsurgery.co.uk | udp |
| US | 104.21.52.187:443 | onlinemarketingsurgery.co.uk | tcp |
| US | 8.8.8.8:53 | golfclublandgoednieuwkerk.nl | udp |
| NL | 77.94.248.219:443 | golfclublandgoednieuwkerk.nl | tcp |
| US | 8.8.8.8:53 | qrs-international.com | udp |
| CH | 194.56.189.177:443 | qrs-international.com | tcp |
| US | 8.8.8.8:53 | markseymourphotography.co.uk | udp |
| GB | 51.89.152.167:443 | markseymourphotography.co.uk | tcp |
| US | 8.8.8.8:53 | encounter-p.net | udp |
| JP | 150.95.55.170:443 | encounter-p.net | tcp |
| US | 8.8.8.8:53 | premier-iowa.com | udp |
| US | 45.60.150.56:443 | premier-iowa.com | tcp |
| US | 8.8.8.8:53 | citydogslife.com | udp |
| US | 50.16.49.81:443 | citydogslife.com | tcp |
| US | 8.8.8.8:53 | mike.matthies.de | udp |
| DE | 81.18.99.16:443 | mike.matthies.de | tcp |
| US | 8.8.8.8:53 | digitale-elite.de | udp |
| US | 104.21.85.80:443 | digitale-elite.de | tcp |
| US | 8.8.8.8:53 | www.digitale-elite.com | udp |
| US | 104.21.94.35:443 | www.digitale-elite.com | tcp |
| US | 8.8.8.8:53 | housesofwa.com | udp |
| US | 67.227.153.112:443 | housesofwa.com | tcp |
| US | 8.8.8.8:53 | stanleyqualitysystems.com | udp |
| US | 67.20.76.129:443 | stanleyqualitysystems.com | tcp |
| US | 8.8.8.8:53 | beandrivingschool.com.au | udp |
| AU | 202.87.31.222:443 | beandrivingschool.com.au | tcp |
| US | 8.8.8.8:53 | frimec-international.es | udp |
| FR | 188.165.33.133:443 | frimec-international.es | tcp |
| US | 8.8.8.8:53 | sochi-okna23.ru | udp |
| RU | 78.110.50.104:443 | sochi-okna23.ru | tcp |
| US | 8.8.8.8:53 | ox-home.com | udp |
| DE | 217.160.0.83:443 | ox-home.com | tcp |
| US | 8.8.8.8:53 | michal-s.co.il | udp |
| US | 192.81.213.222:443 | michal-s.co.il | tcp |
| BE | 193.30.110.118:443 | affligemsehondenschool.be | tcp |
| US | 8.8.8.8:53 | slotspinner.com | udp |
| US | 172.67.149.199:443 | slotspinner.com | tcp |
| US | 8.8.8.8:53 | computer-place.de | udp |
| DE | 85.214.125.43:443 | computer-place.de | tcp |
| US | 8.8.8.8:53 | nevadaruralhousingstudies.org | udp |
| US | 70.32.84.9:443 | nevadaruralhousingstudies.org | tcp |
| US | 8.8.8.8:53 | marcandy.com | udp |
| US | 3.140.179.210:443 | marcandy.com | tcp |
| US | 52.14.173.103:443 | marcandy.com | tcp |
| US | 3.138.251.142:443 | marcandy.com | tcp |
| US | 8.8.8.8:53 | centuryvisionglobal.com | udp |
| US | 100.21.76.30:443 | centuryvisionglobal.com | tcp |
| US | 8.8.8.8:53 | amyandzac.com | udp |
| US | 50.116.63.19:443 | amyandzac.com | tcp |
| US | 8.8.8.8:53 | globalcompliancenews.com | udp |
| US | 23.100.43.208:443 | globalcompliancenews.com | tcp |
| US | 8.8.8.8:53 | ramirezprono.com | udp |
| US | 172.67.128.19:443 | ramirezprono.com | tcp |
| US | 8.8.8.8:53 | lidkopingsnytt.nu | udp |
| SE | 185.35.236.51:443 | lidkopingsnytt.nu | tcp |
| US | 8.8.8.8:53 | smartmind.net | udp |
| ES | 82.98.154.79:443 | smartmind.net | tcp |
| US | 8.8.8.8:53 | kartuindonesia.com | udp |
| SG | 151.106.118.140:443 | kartuindonesia.com | tcp |
| US | 8.8.8.8:53 | ntinasfiloxenia.gr | udp |
| FI | 95.216.12.233:443 | ntinasfiloxenia.gr | tcp |
| US | 8.8.8.8:53 | queertube.net | udp |
| US | 104.21.37.59:443 | queertube.net | tcp |
| US | 8.8.8.8:53 | lollachiro.com | udp |
| US | 104.21.5.43:443 | lollachiro.com | tcp |
| US | 8.8.8.8:53 | www.lollachiro.com | udp |
| US | 172.67.132.243:443 | www.lollachiro.com | tcp |
| US | 8.8.8.8:53 | leloupblanc.gr | udp |
| US | 8.8.8.8:53 | cainlaw-okc.com | udp |
| US | 54.175.148.58:443 | cainlaw-okc.com | tcp |
| US | 8.8.8.8:53 | rizplakatjaya.com | udp |
| US | 104.21.31.140:443 | rizplakatjaya.com | tcp |
| US | 8.8.8.8:53 | zdrowieszczecin.pl | udp |
| PL | 46.242.240.248:443 | zdrowieszczecin.pl | tcp |
| US | 8.8.8.8:53 | thehovecounsellingpractice.co.uk | udp |
| US | 170.39.76.102:443 | thehovecounsellingpractice.co.uk | tcp |
| US | 8.8.8.8:53 | lifeinbreaths.com | udp |
| US | 66.235.200.145:443 | lifeinbreaths.com | tcp |
| US | 8.8.8.8:53 | nxtstg.org | udp |
| DE | 78.47.106.17:443 | nxtstg.org | tcp |
| US | 8.8.8.8:53 | vitale-arbeitskultur.denews | udp |
| US | 8.8.8.8:53 | jobscore.com | udp |
| US | 104.20.3.245:443 | jobscore.com | tcp |
| US | 8.8.8.8:53 | shrinkingplanet.com | udp |
| US | 104.26.10.49:443 | shrinkingplanet.com | tcp |
| US | 8.8.8.8:53 | voetbalhoogeveen.nl | udp |
| US | 8.8.8.8:53 | patriotcleaning.net | udp |
| US | 104.21.39.31:443 | patriotcleaning.net | tcp |
| US | 8.8.8.8:53 | pro-gamer.pl | udp |
| DE | 195.201.109.119:443 | pro-gamer.pl | tcp |
| DE | 195.201.109.119:443 | pro-gamer.pl | tcp |
| US | 8.8.8.8:53 | jeanmonti.com | udp |
| US | 162.144.22.120:443 | jeanmonti.com | tcp |
| US | 8.8.8.8:53 | animation-pro.co.uk | udp |
| US | 8.8.8.8:53 | saint-malo-developpement.fr | udp |
| FR | 51.68.23.33:443 | saint-malo-developpement.fr | tcp |
| US | 8.8.8.8:53 | www.saint-malo-developpement.fr | udp |
| FR | 51.68.23.33:443 | www.saint-malo-developpement.fr | tcp |
| US | 8.8.8.8:53 | bringmehope.org | udp |
| US | 107.154.147.92:443 | bringmehope.org | tcp |
| US | 8.8.8.8:53 | pajagus.fr | udp |
| FR | 107.191.63.1:443 | pajagus.fr | tcp |
| US | 8.8.8.8:53 | atrgroup.it | udp |
| DE | 185.53.177.14:443 | atrgroup.it | tcp |
| US | 8.8.8.8:53 | proffteplo.com | udp |
| ES | 185.107.227.241:443 | proffteplo.com | tcp |
| US | 8.8.8.8:53 | spirello.nl | udp |
| NL | 95.170.72.128:443 | spirello.nl | tcp |
| US | 8.8.8.8:53 | arearugcleaningnyc.com | udp |
| US | 108.178.17.142:443 | arearugcleaningnyc.com | tcp |
| US | 8.8.8.8:53 | hotjapaneselesbian.com | udp |
| US | 8.8.8.8:53 | benchbiz.com | udp |
| US | 75.127.74.35:443 | benchbiz.com | tcp |
| US | 8.8.8.8:53 | outstandingminialbums.com | udp |
| US | 159.203.65.67:443 | outstandingminialbums.com | tcp |
| US | 8.8.8.8:53 | catalyseurdetransformation.com | udp |
| FR | 46.105.57.169:443 | catalyseurdetransformation.com | tcp |
| US | 8.8.8.8:53 | fsbforsale.com | udp |
| US | 8.8.8.8:53 | dantreranch.com | udp |
| US | 50.116.22.24:443 | dantreranch.com | tcp |
| US | 8.8.8.8:53 | rentsportsequip.com | udp |
| FR | 62.138.184.187:443 | rentsportsequip.com | tcp |
| US | 8.8.8.8:53 | scotlandsroute66.co.uk | udp |
| FR | 92.204.68.14:443 | scotlandsroute66.co.uk | tcp |
| US | 8.8.8.8:53 | molinum.pt | udp |
| US | 8.8.8.8:53 | osn.ro | udp |
| DE | 46.101.224.150:443 | osn.ro | tcp |
| US | 8.8.8.8:53 | eshop.design | udp |
| DE | 64.190.62.111:443 | eshop.design | tcp |
| US | 8.8.8.8:53 | dennisverschuur.com | udp |
| DK | 46.30.215.120:443 | dennisverschuur.com | tcp |
| US | 8.8.8.8:53 | buerocenter-butzbach-werbemittel.de | udp |
| US | 8.8.8.8:53 | leansupremegarcinia.net | udp |
| US | 8.8.8.8:53 | fbmagazine.ru | udp |
| US | 8.8.8.8:53 | mieleshopping.it | udp |
| NL | 35.214.166.193:443 | mieleshopping.it | tcp |
| US | 8.8.8.8:53 | www.mieleshopping.it | udp |
| US | 104.21.72.45:443 | www.mieleshopping.it | tcp |
| US | 8.8.8.8:53 | k-zubki.ru | udp |
| GB | 185.215.4.16:443 | k-zubki.ru | tcp |
| US | 8.8.8.8:53 | ncjc.ca | udp |
| CA | 54.39.73.56:443 | ncjc.ca | tcp |
| US | 8.8.8.8:53 | jonnyhooley.com | udp |
| GB | 35.214.94.12:443 | jonnyhooley.com | tcp |
| US | 8.8.8.8:53 | thegrinningmanmusical.com | udp |
| GB | 83.136.249.218:443 | thegrinningmanmusical.com | tcp |
| US | 8.8.8.8:53 | denhaagfoodie.nl | udp |
| NL | 185.232.250.194:443 | denhaagfoodie.nl | tcp |
| US | 8.8.8.8:53 | www.denhaagfoodie.nl | udp |
| NL | 185.232.250.194:443 | www.denhaagfoodie.nl | tcp |
| US | 8.8.8.8:53 | nauticmarine.dk | udp |
| DK | 185.221.38.106:443 | nauticmarine.dk | tcp |
| US | 8.8.8.8:53 | orchardbrickwork.com | udp |
| GB | 109.108.130.72:443 | orchardbrickwork.com | tcp |
| US | 8.8.8.8:53 | atma.nl | udp |
| US | 8.8.8.8:53 | orchardbrickwork.com | udp |
| US | 8.8.8.8:53 | latableacrepes-meaux.fr | udp |
| US | 8.8.8.8:53 | aidanpublishing.co.uk | udp |
| GB | 77.72.0.142:443 | aidanpublishing.co.uk | tcp |
| US | 8.8.8.8:53 | uci-france.fr | udp |
| FR | 213.186.33.18:443 | uci-france.fr | tcp |
| US | 8.8.8.8:53 | landgoedspica.nl | udp |
| DE | 83.169.37.227:443 | landgoedspica.nl | tcp |
| US | 8.8.8.8:53 | annida.it | udp |
| GB | 185.2.4.123:443 | annida.it | tcp |
| US | 8.8.8.8:53 | direitapernambuco.com | udp |
| US | 8.8.8.8:53 | elex.is | udp |
| SI | 194.249.231.96:443 | elex.is | tcp |
| US | 8.8.8.8:53 | bodet150ans.com | udp |
| FR | 213.186.33.24:443 | bodet150ans.com | tcp |
| US | 8.8.8.8:53 | tetameble.pl | udp |
| PL | 109.95.157.35:443 | tetameble.pl | tcp |
| US | 8.8.8.8:53 | t3brothers.com | udp |
| US | 8.8.8.8:53 | clemenfoto.dk | udp |
| DK | 46.30.215.230:443 | clemenfoto.dk | tcp |
| US | 8.8.8.8:53 | welovecustomers.fr | udp |
| FR | 51.15.236.35:443 | welovecustomers.fr | tcp |
| US | 8.8.8.8:53 | www.welovecustomers.fr | udp |
| NL | 65.9.82.56:443 | www.welovecustomers.fr | tcp |
| US | 8.8.8.8:53 | charlesfrancis.photos | udp |
| FR | 92.205.7.181:443 | charlesfrancis.photos | tcp |
| US | 8.8.8.8:53 | circlecitydj.com | udp |
| US | 172.67.207.66:443 | circlecitydj.com | tcp |
| US | 8.8.8.8:53 | encoreentertainment.net | udp |
| US | 162.159.135.42:443 | encoreentertainment.net | tcp |
| US | 162.159.135.42:443 | encoreentertainment.net | tcp |
| US | 8.8.8.8:53 | mrcar.nl | udp |
| NL | 37.34.48.68:443 | mrcar.nl | tcp |
| US | 8.8.8.8:53 | factoriareloj.com | udp |
| US | 8.8.8.8:53 | 2020hindsight.info | udp |
| US | 8.8.8.8:53 | worldproskitour.com | udp |
| US | 35.185.71.154:443 | worldproskitour.com | tcp |
| US | 8.8.8.8:53 | guohedd.com | udp |
| US | 8.8.8.8:53 | sambaglow.com | udp |
| US | 72.167.241.134:443 | sambaglow.com | tcp |
| US | 72.167.241.134:443 | sambaglow.com | tcp |
| US | 72.167.241.134:443 | sambaglow.com | tcp |
| US | 72.167.241.134:443 | sambaglow.com | tcp |
| US | 8.8.8.8:53 | omnicademy.com | udp |
| US | 13.56.33.8:443 | omnicademy.com | tcp |
| US | 8.8.8.8:53 | www.brandbucket.com | udp |
| US | 172.67.4.41:443 | www.brandbucket.com | tcp |
| US | 8.8.8.8:53 | ultimatelifesource.com | udp |
| GB | 87.254.25.84:443 | ultimatelifesource.com | tcp |
| US | 8.8.8.8:53 | luvinsburger.fr | udp |
| FR | 188.165.53.185:443 | luvinsburger.fr | tcp |
| FR | 188.165.53.185:443 | luvinsburger.fr | tcp |
| US | 8.8.8.8:53 | mneti.ru | udp |
| RU | 95.165.137.165:443 | mneti.ru | tcp |
| US | 8.8.8.8:53 | asiaartgallery.jp | udp |
| JP | 162.43.117.14:443 | asiaartgallery.jp | tcp |
| US | 8.8.8.8:53 | udp | |
| N/A | 46.30.215.191:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.26.12.244:443 | tcp |