Malware Analysis Report

2025-01-18 18:36

Sample ID 220124-bs993ahef5
Target a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762
SHA256 a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762
Tags
16 288 sodinokibi ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762

Threat Level: Known bad

The file a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762 was found to be: Known bad.

Malicious Activity Summary

16 288 sodinokibi ransomware

Sodinokibi family

Sodinokibi/Revil sample

Sodin,Sodinokibi,REvil

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Interacts with shadow copies

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-24 01:25

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-24 01:25

Reported

2022-01-24 06:58

Platform

win7-en-20211208

Max time kernel

140s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\UninstallExpand.tif => \??\c:\users\admin\pictures\UninstallExpand.tif.cboygp C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\users\admin\pictures\InvokeExit.tiff C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromRename.png => \??\c:\users\admin\pictures\ConvertFromRename.png.cboygp C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertStop.raw => \??\c:\users\admin\pictures\ConvertStop.raw.cboygp C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File renamed C:\Users\Admin\Pictures\DisconnectUpdate.raw => \??\c:\users\admin\pictures\DisconnectUpdate.raw.cboygp C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File renamed C:\Users\Admin\Pictures\InvokeExit.tiff => \??\c:\users\admin\pictures\InvokeExit.tiff.cboygp C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File renamed C:\Users\Admin\Pictures\ProtectDeny.raw => \??\c:\users\admin\pictures\ProtectDeny.raw.cboygp C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File renamed C:\Users\Admin\Pictures\ReadSwitch.crw => \??\c:\users\admin\pictures\ReadSwitch.crw.cboygp C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0dc97c707f85.bmp" C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\AssertUse.tif C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\SubmitWatch.vdx C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\SwitchStep.scf C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\UnregisterBlock.pub C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\a7e89524.lock C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\DisconnectGrant.ttf C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\PushOpen.3gp2 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\SaveExpand.wpl C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\a7e89524.lock C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\WriteUnpublish.cr2 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\cboygp-readme.txt C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File created \??\c:\program files (x86)\a7e89524.lock C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\CompressAssert.iso C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\DisableRequest.cr2 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\DisableSearch.3gpp C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\FindRemove.vdx C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\InstallConvertFrom.mp4v C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\ReadPop.doc C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\UpdateFind.dwfx C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File created \??\c:\program files\a7e89524.lock C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\MergeUnlock.nfo C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File created \??\c:\program files\cboygp-readme.txt C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File created \??\c:\program files (x86)\cboygp-readme.txt C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\PingHide.xltm C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\PushTrace.gif C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\a7e89524.lock C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\cboygp-readme.txt C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\cboygp-readme.txt C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe

"C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 donau-guides.eu udp
US 172.67.169.67:443 donau-guides.eu tcp
US 8.8.8.8:53 donauguides.com udp
US 172.67.167.124:443 donauguides.com tcp
US 8.8.8.8:53 tanatek.com udp
CA 198.50.129.250:443 tanatek.com tcp
CA 198.50.129.250:443 tanatek.com tcp
US 8.8.8.8:53 buffdaddyblog.com udp
US 104.21.56.192:443 buffdaddyblog.com tcp
US 8.8.8.8:53 www.buffdaddyblog.com udp
US 172.67.155.207:443 www.buffdaddyblog.com tcp
US 8.8.8.8:53 jefersonalessandro.com udp
US 104.21.39.83:443 jefersonalessandro.com tcp
US 8.8.8.8:53 riffenmattgarage.ch udp
CH 194.230.72.228:443 riffenmattgarage.ch tcp
US 8.8.8.8:53 cymru.futbol udp
US 8.8.8.8:53 kvetymichalovce.sk udp
SK 37.9.175.157:443 kvetymichalovce.sk tcp
SK 37.9.175.157:443 kvetymichalovce.sk tcp
US 8.8.8.8:53 agrifarm.dk udp
DK 185.21.40.19:443 agrifarm.dk tcp
DK 185.21.40.19:443 agrifarm.dk tcp
US 8.8.8.8:53 silkeight.com udp
RO 188.213.19.167:443 silkeight.com tcp
RO 188.213.19.167:443 silkeight.com tcp
US 8.8.8.8:53 molinum.pt udp
US 8.8.8.8:53 babysitting-hk.helpergo.co udp
SG 157.230.253.64:443 babysitting-hk.helpergo.co tcp
US 8.8.8.8:53 dogsunlimitedguide.com udp
US 188.114.97.0:443 dogsunlimitedguide.com tcp
US 8.8.8.8:53 turing.academy udp
DE 64.190.62.111:443 turing.academy tcp
US 8.8.8.8:53 bluemarinefoundation.com udp
GB 46.101.88.142:443 bluemarinefoundation.com tcp
GB 46.101.88.142:443 bluemarinefoundation.com tcp
US 8.8.8.8:53 comoserescritor.com udp
ES 82.223.24.132:443 comoserescritor.com tcp
US 8.8.8.8:53 topautoinsurers.net udp
US 208.91.197.13:443 topautoinsurers.net tcp
US 8.8.8.8:53 teamsegeln.ch udp
CH 83.166.138.104:443 teamsegeln.ch tcp
CH 83.166.138.104:443 teamsegeln.ch tcp
US 8.8.8.8:53 avtoboss163.ru udp
RU 185.32.57.142:443 avtoboss163.ru tcp
RU 185.32.57.142:443 avtoboss163.ru tcp
US 8.8.8.8:53 saboboxtel.uk udp
NL 91.184.0.4:443 saboboxtel.uk tcp
NL 91.184.0.4:443 saboboxtel.uk tcp
US 8.8.8.8:53 sambaglow.com udp
US 72.167.241.134:443 sambaglow.com tcp
US 72.167.241.134:443 sambaglow.com tcp
US 8.8.8.8:53 ivancacu.com udp
DE 217.160.0.237:443 ivancacu.com tcp
DE 217.160.0.237:443 ivancacu.com tcp
US 8.8.8.8:53 lashandbrowenvy.com udp
US 104.238.68.196:443 lashandbrowenvy.com tcp
US 104.238.68.196:443 lashandbrowenvy.com tcp
US 8.8.8.8:53 trevi-vl.ru udp
EE 5.45.112.80:443 trevi-vl.ru tcp
US 8.8.8.8:53 xn--billigafrgpatroner-stb.se udp
SE 46.59.102.201:443 xn--billigafrgpatroner-stb.se tcp
US 8.8.8.8:53 metroton.ru udp
RU 45.128.206.87:443 metroton.ru tcp
US 8.8.8.8:53 broccolisoep.nl udp
NL 5.61.249.144:443 broccolisoep.nl tcp
NL 5.61.249.144:443 broccolisoep.nl tcp
US 8.8.8.8:53 stringnosis.academy udp
US 45.55.72.95:443 stringnosis.academy tcp
US 8.8.8.8:53 the-cupboard.co.uk udp
GB 213.52.129.248:443 the-cupboard.co.uk tcp
US 8.8.8.8:53 cops4causes.org udp
US 66.185.18.243:443 cops4causes.org tcp
US 66.185.18.243:443 cops4causes.org tcp
US 8.8.8.8:53 kombi-dress.com udp
UA 185.68.16.38:443 kombi-dress.com tcp
US 8.8.8.8:53 thiagoperez.com udp
US 209.133.222.158:443 thiagoperez.com tcp
US 209.133.222.158:443 thiagoperez.com tcp
US 8.8.8.8:53 bundan.com udp
NL 35.214.211.239:443 bundan.com tcp
NL 35.214.211.239:443 bundan.com tcp
US 8.8.8.8:53 vitoriaecoturismo.com.br udp
US 209.145.52.46:443 vitoriaecoturismo.com.br tcp
US 209.145.52.46:443 vitoriaecoturismo.com.br tcp
US 8.8.8.8:53 gavelmasters.com udp
US 8.8.8.8:53 tramadolhealth.com udp
US 104.21.47.153:443 tramadolhealth.com tcp
US 8.8.8.8:53 eksperdanismanlik.com udp
US 104.21.9.7:443 eksperdanismanlik.com tcp
US 8.8.8.8:53 zdrowieszczecin.pl udp
PL 46.242.240.248:443 zdrowieszczecin.pl tcp
PL 46.242.240.248:443 zdrowieszczecin.pl tcp
US 8.8.8.8:53 fskhjalmar.se udp
DK 46.30.215.73:443 fskhjalmar.se tcp
DK 46.30.215.73:443 fskhjalmar.se tcp
US 8.8.8.8:53 gta-jjb.fr udp
FR 87.98.154.146:443 gta-jjb.fr tcp
US 8.8.8.8:53 zealcon.ae udp
US 70.32.23.90:443 zealcon.ae tcp
US 70.32.23.90:443 zealcon.ae tcp
US 8.8.8.8:53 myplaywin3.com udp
US 23.111.167.154:443 myplaywin3.com tcp
US 23.111.167.154:443 myplaywin3.com tcp
US 8.8.8.8:53 azerbaycanas.com udp
US 8.8.8.8:53 m2graph.fr udp
FR 164.132.235.17:443 m2graph.fr tcp
FR 164.132.235.17:443 m2graph.fr tcp
US 8.8.8.8:53 terraflair.de udp
IE 52.30.3.152:443 terraflair.de tcp
US 8.8.8.8:53 smartspeak.com udp
AU 35.201.0.0:443 smartspeak.com tcp
US 8.8.8.8:53 aslog.fr udp
US 8.8.8.8:53 alisodentalcare.com udp
US 192.249.117.25:443 alisodentalcare.com tcp
US 192.249.117.25:443 alisodentalcare.com tcp
US 8.8.8.8:53 eventosvirtualesexitosos.com udp
US 165.227.207.223:443 eventosvirtualesexitosos.com tcp
US 8.8.8.8:53 yuanshenghotel.com udp
US 172.67.215.236:443 yuanshenghotel.com tcp
US 8.8.8.8:53 eos-horlogerie.com udp
US 8.8.8.8:53 loparnille.se udp
US 8.8.8.8:53 sweetz.fr udp
CH 84.16.76.230:443 sweetz.fr tcp
CH 84.16.76.230:443 sweetz.fr tcp
US 8.8.8.8:53 eurethicsport.eu udp
GB 185.2.4.41:443 eurethicsport.eu tcp
GB 185.2.4.41:443 eurethicsport.eu tcp
US 8.8.8.8:53 yourcosmicbeing.com udp
US 8.8.8.8:53 agriturismocastagneto.it udp
FR 212.83.179.212:443 agriturismocastagneto.it tcp
US 8.8.8.8:53 www.agriturismocastagneto.it udp
FR 212.83.179.212:443 www.agriturismocastagneto.it tcp
US 8.8.8.8:53 forumsittard.nl udp
NL 93.119.0.141:443 forumsittard.nl tcp
NL 93.119.0.141:443 forumsittard.nl tcp
US 34.204.131.44:443 matthieupetel.fr tcp
US 34.204.131.44:443 matthieupetel.fr tcp
US 8.8.8.8:53 moira-cristescu.com udp
FR 155.133.138.13:443 moira-cristescu.com tcp
US 8.8.8.8:53 moiracristescu.com udp
FR 155.133.138.13:443 moiracristescu.com tcp
US 8.8.8.8:53 salonlamar.nl udp
NL 149.210.195.135:443 salonlamar.nl tcp
NL 149.210.195.135:443 salonlamar.nl tcp
US 8.8.8.8:53 devus.de udp
DE 87.230.47.47:443 devus.de tcp
DE 87.230.47.47:443 devus.de tcp
US 8.8.8.8:53 pajagus.fr udp
FR 107.191.63.1:443 pajagus.fr tcp
US 8.8.8.8:53 sber-biznes.com udp
RU 92.53.96.148:443 sber-biznes.com tcp
RU 92.53.96.148:443 sber-biznes.com tcp
US 8.8.8.8:53 wasnederland.nl udp
US 8.8.8.8:53 hawaiisteelbuilding.com udp
US 199.16.172.213:443 hawaiisteelbuilding.com tcp
US 199.16.172.213:443 hawaiisteelbuilding.com tcp
US 8.8.8.8:53 mariannelemenestrel.com udp
FR 195.154.29.241:443 mariannelemenestrel.com tcp
FR 195.154.29.241:443 mariannelemenestrel.com tcp
US 8.8.8.8:53 katherinealy.com udp
DE 88.99.61.233:443 katherinealy.com tcp
DE 88.99.61.233:443 katherinealy.com tcp
US 8.8.8.8:53 3daywebs.com udp
US 152.44.33.230:443 3daywebs.com tcp
US 152.44.33.230:443 3daywebs.com tcp
US 8.8.8.8:53 mac-computer-support-hamburg.de udp
FR 46.163.78.186:443 mac-computer-support-hamburg.de tcp
FR 46.163.78.186:443 mac-computer-support-hamburg.de tcp
US 8.8.8.8:53 premier-iowa.com udp
US 45.60.150.56:443 premier-iowa.com tcp
US 45.60.150.56:443 premier-iowa.com tcp
US 8.8.8.8:53 rossomattonecase.it udp
IT 185.81.4.85:443 rossomattonecase.it tcp
IT 185.81.4.85:443 rossomattonecase.it tcp
US 8.8.8.8:53 mazift.dk udp
DK 185.21.41.124:443 mazift.dk tcp
US 8.8.8.8:53 bagaholics.in udp
CA 23.227.38.32:443 bagaholics.in tcp
CA 23.227.38.32:443 bagaholics.in tcp
US 8.8.8.8:53 hensleymarketing.com udp
US 104.21.41.173:443 hensleymarketing.com tcp
US 8.8.8.8:53 hoteltantra.com udp
US 172.67.160.171:443 hoteltantra.com tcp
US 8.8.8.8:53 wademurray.com udp
US 138.197.54.223:443 wademurray.com tcp
US 138.197.54.223:443 wademurray.com tcp
US 8.8.8.8:53 bakingismyyoga.com udp
US 15.197.142.173:443 bakingismyyoga.com tcp

Files

memory/1452-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-24 01:25

Reported

2022-01-24 06:58

Platform

win10-en-20211208

Max time kernel

156s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ConvertFromImport.tiff => \??\c:\users\admin\pictures\ConvertFromImport.tiff.h7m61uei4 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File renamed C:\Users\Admin\Pictures\ExitSelect.raw => \??\c:\users\admin\pictures\ExitSelect.raw.h7m61uei4 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File renamed C:\Users\Admin\Pictures\RepairRequest.crw => \??\c:\users\admin\pictures\RepairRequest.crw.h7m61uei4 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File renamed C:\Users\Admin\Pictures\ResetOut.tiff => \??\c:\users\admin\pictures\ResetOut.tiff.h7m61uei4 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File renamed C:\Users\Admin\Pictures\ShowOpen.raw => \??\c:\users\admin\pictures\ShowOpen.raw.h7m61uei4 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File renamed C:\Users\Admin\Pictures\WriteTest.raw => \??\c:\users\admin\pictures\WriteTest.raw.h7m61uei4 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\users\admin\pictures\ConvertFromImport.tiff C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\users\admin\pictures\ResetOut.tiff C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\y2134.bmp" C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\CloseTest.mp3 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\OpenDismount.m4v C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\CompleteRequest.3gp2 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\ExpandEnter.jpg C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\MergeUnregister.mpv2 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\StartResolve.3gp2 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\UseRename.wmf C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File created \??\c:\program files\h7m61uei4-readme.txt C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\GetCompress.doc C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\OptimizeSave.eprtx C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\SearchSync.mp2v C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\CompleteUnregister.svg C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\HideRestart.mpp C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\ResolveSet.contact C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File created \??\c:\program files (x86)\a7e89524.lock C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\MountGrant.vbe C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\SetReset.png C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File created \??\c:\program files\a7e89524.lock C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\ProtectFormat.dxf C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\GetWait.pub C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\InitializeAssert.vssm C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\LockConfirm.xlsx C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\ReadRename.pub C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\SkipRequest.dotm C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File created \??\c:\program files (x86)\h7m61uei4-readme.txt C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\FormatSend.vbe C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\RequestBackup.ttf C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\ResolvePush.ppt C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\SplitExpand.pub C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\LimitMove.jtx C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
File opened for modification \??\c:\program files\RenameDisable.avi C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe

"C:\Users\Admin\AppData\Local\Temp\a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 donau-guides.eu udp
US 172.67.169.67:443 donau-guides.eu tcp
US 8.8.8.8:53 donauguides.com udp
US 172.67.167.124:443 donauguides.com tcp
US 8.8.8.8:53 tanatek.com udp
CA 198.50.129.250:443 tanatek.com tcp
US 8.8.8.8:53 buffdaddyblog.com udp
US 104.21.56.192:443 buffdaddyblog.com tcp
US 8.8.8.8:53 www.buffdaddyblog.com udp
US 172.67.155.207:443 www.buffdaddyblog.com tcp
US 8.8.8.8:53 jefersonalessandro.com udp
US 104.21.39.83:443 jefersonalessandro.com tcp
US 8.8.8.8:53 riffenmattgarage.ch udp
CH 194.230.72.228:443 riffenmattgarage.ch tcp
US 8.8.8.8:53 cymru.futbol udp
US 8.8.8.8:53 kvetymichalovce.sk udp
SK 37.9.175.157:443 kvetymichalovce.sk tcp
US 8.8.8.8:53 agrifarm.dk udp
DK 185.21.40.19:443 agrifarm.dk tcp
US 8.8.8.8:53 silkeight.com udp
RO 188.213.19.167:443 silkeight.com tcp
US 8.8.8.8:53 molinum.pt udp
US 8.8.8.8:53 babysitting-hk.helpergo.co udp
SG 157.230.253.64:443 babysitting-hk.helpergo.co tcp
US 8.8.8.8:53 dogsunlimitedguide.com udp
US 188.114.97.0:443 dogsunlimitedguide.com tcp
US 8.8.8.8:53 turing.academy udp
DE 64.190.62.111:443 turing.academy tcp
US 8.8.8.8:53 bluemarinefoundation.com udp
GB 46.101.88.142:443 bluemarinefoundation.com tcp
US 8.8.8.8:53 comoserescritor.com udp
ES 82.223.24.132:443 comoserescritor.com tcp
US 8.8.8.8:53 topautoinsurers.net udp
US 208.91.197.13:443 topautoinsurers.net tcp
US 8.8.8.8:53 teamsegeln.ch udp
CH 83.166.138.104:443 teamsegeln.ch tcp
US 8.8.8.8:53 avtoboss163.ru udp
RU 185.32.57.142:443 avtoboss163.ru tcp
US 8.8.8.8:53 saboboxtel.uk udp
NL 91.184.0.4:443 saboboxtel.uk tcp
US 8.8.8.8:53 sambaglow.com udp
US 72.167.241.134:443 sambaglow.com tcp
US 72.167.241.134:443 sambaglow.com tcp
US 72.167.241.134:443 sambaglow.com tcp
US 72.167.241.134:443 sambaglow.com tcp
US 8.8.8.8:53 ivancacu.com udp
DE 217.160.0.237:443 ivancacu.com tcp
US 8.8.8.8:53 lashandbrowenvy.com udp
US 104.238.68.196:443 lashandbrowenvy.com tcp
US 8.8.8.8:53 trevi-vl.ru udp
EE 5.45.112.80:443 trevi-vl.ru tcp
US 8.8.8.8:53 xn--billigafrgpatroner-stb.se udp
SE 46.59.102.201:443 xn--billigafrgpatroner-stb.se tcp
US 8.8.8.8:53 metroton.ru udp
RU 45.128.206.87:443 metroton.ru tcp
US 8.8.8.8:53 broccolisoep.nl udp
NL 5.61.249.144:443 broccolisoep.nl tcp
US 8.8.8.8:53 stringnosis.academy udp
US 45.55.72.95:443 stringnosis.academy tcp
US 8.8.8.8:53 the-cupboard.co.uk udp
GB 213.52.129.248:443 the-cupboard.co.uk tcp
US 8.8.8.8:53 cops4causes.org udp
US 66.185.18.243:443 cops4causes.org tcp
US 8.8.8.8:53 kombi-dress.com udp
UA 185.68.16.38:443 kombi-dress.com tcp
US 8.8.8.8:53 thiagoperez.com udp
US 209.133.222.158:443 thiagoperez.com tcp
US 8.8.8.8:53 bundan.com udp
NL 35.214.211.239:443 bundan.com tcp
US 8.8.8.8:53 vitoriaecoturismo.com.br udp
US 209.145.52.46:443 vitoriaecoturismo.com.br tcp
US 8.8.8.8:53 grupoecoturismo.com udp
US 198.211.99.246:443 grupoecoturismo.com tcp
US 198.211.99.246:443 grupoecoturismo.com tcp
US 8.8.8.8:53 gavelmasters.com udp
US 8.8.8.8:53 tramadolhealth.com udp
US 104.21.47.153:443 tramadolhealth.com tcp
US 8.8.8.8:53 eksperdanismanlik.com udp
US 172.67.140.207:443 eksperdanismanlik.com tcp
US 8.8.8.8:53 zdrowieszczecin.pl udp
PL 46.242.240.248:443 zdrowieszczecin.pl tcp
US 8.8.8.8:53 fskhjalmar.se udp
DK 46.30.215.73:443 fskhjalmar.se tcp
US 8.8.8.8:53 gta-jjb.fr udp
FR 87.98.154.146:443 gta-jjb.fr tcp
US 8.8.8.8:53 zealcon.ae udp
US 70.32.23.90:443 zealcon.ae tcp
US 8.8.8.8:53 myplaywin3.com udp
US 23.111.167.154:443 myplaywin3.com tcp
US 8.8.8.8:53 azerbaycanas.com udp
US 8.8.8.8:53 m2graph.fr udp
FR 164.132.235.17:443 m2graph.fr tcp
FR 164.132.235.17:443 m2graph.fr tcp
US 8.8.8.8:53 terraflair.de udp
IE 52.30.3.152:443 terraflair.de tcp
IE 52.30.3.152:443 terraflair.de tcp

Files

N/A