Analysis Overview
SHA256
158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce
Threat Level: Known bad
The file 158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce was found to be: Known bad.
Malicious Activity Summary
Sodin,Sodinokibi,REvil
Sodinokibi/Revil sample
Sodinokibi family
Deletes shadow copies
Modifies extensions of user files
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Enumerates physical storage devices
Modifies system certificate store
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-30 08:00
Signatures
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-30 08:00
Reported
2022-01-30 08:04
Platform
win7-en-20211208
Max time kernel
133s
Max time network
146s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\users\admin\pictures\PushCompress.tiff | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DebugEdit.raw => \??\c:\users\admin\pictures\DebugEdit.raw.608113r0 | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MoveInvoke.raw => \??\c:\users\admin\pictures\MoveInvoke.raw.608113r0 | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PushCompress.tiff => \??\c:\users\admin\pictures\PushCompress.tiff.608113r0 | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SaveRestore.png => \??\c:\users\admin\pictures\SaveRestore.png.608113r0 | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UseRestart.png => \??\c:\users\admin\pictures\UseRestart.png.608113r0 | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\966s3.bmp" | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe
"C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lesyeuxbleus.net | udp |
| FR | 46.105.57.169:443 | lesyeuxbleus.net | tcp |
| US | 8.8.8.8:53 | expohomes.com | udp |
| US | 188.114.97.0:443 | expohomes.com | tcp |
| US | 8.8.8.8:53 | asiaartgallery.jp | udp |
| JP | 162.43.117.14:443 | asiaartgallery.jp | tcp |
| JP | 162.43.117.14:443 | asiaartgallery.jp | tcp |
| US | 8.8.8.8:53 | gsconcretecoatings.com | udp |
| US | 34.102.136.180:443 | gsconcretecoatings.com | tcp |
| US | 34.102.136.180:443 | gsconcretecoatings.com | tcp |
| US | 8.8.8.8:53 | gratiocafeblog.wordpress.com | udp |
| US | 192.0.78.12:443 | gratiocafeblog.wordpress.com | tcp |
| US | 192.0.78.12:443 | gratiocafeblog.wordpress.com | tcp |
| US | 8.8.8.8:53 | tramadolhealth.com | udp |
| US | 104.21.47.153:443 | tramadolhealth.com | tcp |
| US | 8.8.8.8:53 | ntinasfiloxenia.gr | udp |
| FI | 95.216.12.233:443 | ntinasfiloxenia.gr | tcp |
| FI | 95.216.12.233:443 | ntinasfiloxenia.gr | tcp |
| US | 8.8.8.8:53 | handyman-silkeborg.dk | udp |
| DK | 185.21.41.51:443 | handyman-silkeborg.dk | tcp |
| DK | 185.21.41.51:443 | handyman-silkeborg.dk | tcp |
| US | 8.8.8.8:53 | mangimirossana.it | udp |
| DE | 80.240.20.142:443 | mangimirossana.it | tcp |
| US | 8.8.8.8:53 | pourlabretagne.bzh | udp |
| FR | 135.125.16.232:443 | pourlabretagne.bzh | tcp |
| FR | 135.125.16.232:443 | pourlabretagne.bzh | tcp |
| US | 8.8.8.8:53 | mazift.dk | udp |
| DK | 185.21.41.124:443 | mazift.dk | tcp |
| US | 8.8.8.8:53 | nvisionsigns.com | udp |
| US | 34.102.136.180:443 | nvisionsigns.com | tcp |
| US | 34.102.136.180:443 | nvisionsigns.com | tcp |
| US | 8.8.8.8:53 | radishallgood.com | udp |
| GB | 167.99.94.233:443 | radishallgood.com | tcp |
| US | 8.8.8.8:53 | teethinadaydentalimplants.com | udp |
| US | 34.102.136.180:443 | teethinadaydentalimplants.com | tcp |
| US | 34.102.136.180:443 | teethinadaydentalimplants.com | tcp |
| US | 8.8.8.8:53 | pxsrl.it | udp |
| IT | 195.182.210.190:443 | pxsrl.it | tcp |
| US | 8.8.8.8:53 | mjk.digital | udp |
| DE | 83.138.86.102:443 | mjk.digital | tcp |
| DE | 83.138.86.102:443 | mjk.digital | tcp |
| US | 8.8.8.8:53 | innovationgames-brabant.nl | udp |
| US | 8.8.8.8:53 | slideevents.be | udp |
| DE | 51.89.7.228:443 | slideevents.be | tcp |
| DE | 51.89.7.228:443 | slideevents.be | tcp |
| US | 8.8.8.8:53 | modamarfil.com | udp |
| US | 138.128.178.242:443 | modamarfil.com | tcp |
| US | 138.128.178.242:443 | modamarfil.com | tcp |
| US | 8.8.8.8:53 | 5thactors.com | udp |
| ES | 134.0.10.32:443 | 5thactors.com | tcp |
| ES | 134.0.10.32:443 | 5thactors.com | tcp |
| US | 8.8.8.8:53 | qrs-international.com | udp |
| CH | 194.56.189.177:443 | qrs-international.com | tcp |
| CH | 194.56.189.177:443 | qrs-international.com | tcp |
| US | 8.8.8.8:53 | cesep2019.com | udp |
| US | 8.8.8.8:53 | voetbalhoogeveen.nl | udp |
| US | 8.8.8.8:53 | verbouwingsdouche.nl | udp |
| NL | 185.27.141.176:443 | verbouwingsdouche.nl | tcp |
| NL | 185.27.141.176:443 | verbouwingsdouche.nl | tcp |
| US | 8.8.8.8:53 | uncensoredhentaigif.com | udp |
| US | 172.67.179.145:443 | uncensoredhentaigif.com | tcp |
| US | 8.8.8.8:53 | rossomattonecase.it | udp |
| IT | 185.81.4.85:443 | rossomattonecase.it | tcp |
| IT | 185.81.4.85:443 | rossomattonecase.it | tcp |
| US | 8.8.8.8:53 | oththukaruva.com | udp |
| NL | 37.48.65.152:443 | oththukaruva.com | tcp |
| NL | 37.48.65.152:443 | oththukaruva.com | tcp |
| US | 8.8.8.8:53 | richardkershawwines.co.za | udp |
| ZA | 156.38.238.98:443 | richardkershawwines.co.za | tcp |
| ZA | 156.38.238.98:443 | richardkershawwines.co.za | tcp |
| US | 8.8.8.8:53 | gbk-tp1.de | udp |
| DE | 139.162.147.231:443 | gbk-tp1.de | tcp |
| US | 8.8.8.8:53 | diakonie-weitramsdorf-sesslach.de | udp |
| DE | 37.218.255.162:443 | diakonie-weitramsdorf-sesslach.de | tcp |
| DE | 37.218.255.162:443 | diakonie-weitramsdorf-sesslach.de | tcp |
| US | 8.8.8.8:53 | zinnystar.com | udp |
| US | 206.237.169.36:443 | zinnystar.com | tcp |
| US | 8.8.8.8:53 | rename.kz | udp |
| KZ | 195.210.46.115:443 | rename.kz | tcp |
| US | 8.8.8.8:53 | min-virksomhed.dk | udp |
| DK | 94.231.106.195:443 | min-virksomhed.dk | tcp |
| DK | 94.231.106.195:443 | min-virksomhed.dk | tcp |
| US | 8.8.8.8:53 | pisofare.co | udp |
| US | 104.21.52.108:443 | pisofare.co | tcp |
| US | 8.8.8.8:53 | daveystownhouse.com | udp |
| DE | 85.214.155.19:443 | daveystownhouse.com | tcp |
| DE | 85.214.155.19:443 | daveystownhouse.com | tcp |
| US | 8.8.8.8:53 | kickittickets.com | udp |
| US | 35.209.160.138:443 | kickittickets.com | tcp |
| US | 35.209.160.138:443 | kickittickets.com | tcp |
| US | 8.8.8.8:53 | unexplored.gr | udp |
| DE | 94.130.143.52:443 | unexplored.gr | tcp |
| DE | 94.130.143.52:443 | unexplored.gr | tcp |
| US | 8.8.8.8:53 | mesajjongeren.nl | udp |
| DK | 77.111.240.151:443 | mesajjongeren.nl | tcp |
| DK | 77.111.240.151:443 | mesajjongeren.nl | tcp |
| US | 8.8.8.8:53 | jayfurnitureco.com | udp |
| US | 108.167.161.213:443 | jayfurnitureco.com | tcp |
| US | 108.167.161.213:443 | jayfurnitureco.com | tcp |
| US | 8.8.8.8:53 | insane.agency | udp |
| PL | 195.242.92.8:443 | insane.agency | tcp |
| US | 8.8.8.8:53 | corporacionrr.com | udp |
| JP | 133.167.67.65:443 | corporacionrr.com | tcp |
| US | 8.8.8.8:53 | scentedlair.com | udp |
| US | 185.230.63.171:443 | scentedlair.com | tcp |
| US | 185.230.63.171:443 | scentedlair.com | tcp |
| US | 8.8.8.8:53 | tatyanakopieva.ru | udp |
| RU | 77.222.61.24:443 | tatyanakopieva.ru | tcp |
| US | 8.8.8.8:53 | o2o-academy.com | udp |
| SG | 35.213.183.205:443 | o2o-academy.com | tcp |
| SG | 35.213.183.205:443 | o2o-academy.com | tcp |
| US | 8.8.8.8:53 | bluetenreich-brilon.de | udp |
| DE | 37.218.254.106:443 | bluetenreich-brilon.de | tcp |
| US | 8.8.8.8:53 | www.bluetenreich-brilon.de | udp |
| DE | 37.218.254.106:443 | www.bluetenreich-brilon.de | tcp |
| US | 8.8.8.8:53 | aceroprime.com | udp |
| US | 104.18.29.32:443 | aceroprime.com | tcp |
| US | 8.8.8.8:53 | descargandoprogramas.com | udp |
| US | 8.8.8.8:53 | lovcase.com | udp |
| US | 8.8.8.8:53 | curtsdiscountguns.com | udp |
| US | 172.67.173.224:443 | curtsdiscountguns.com | tcp |
| US | 8.8.8.8:53 | c-sprop.com | udp |
| US | 23.236.62.147:443 | c-sprop.com | tcp |
| US | 23.236.62.147:443 | c-sprop.com | tcp |
| US | 8.8.8.8:53 | plbinsurance.com | udp |
| US | 54.210.110.253:443 | plbinsurance.com | tcp |
| US | 54.210.110.253:443 | plbinsurance.com | tcp |
| US | 8.8.8.8:53 | chatberlin.de | udp |
| DE | 85.214.200.228:443 | chatberlin.de | tcp |
| US | 8.8.8.8:53 | www.chatberlin.de | udp |
| DE | 85.214.200.228:443 | www.chatberlin.de | tcp |
| US | 8.8.8.8:53 | linkbuilding.life | udp |
| US | 8.8.8.8:53 | projektparkiet.pl | udp |
| US | 172.67.167.41:443 | projektparkiet.pl | tcp |
| US | 8.8.8.8:53 | alaskaremote.com | udp |
| US | 34.237.37.253:443 | alaskaremote.com | tcp |
| US | 34.237.37.253:443 | alaskaremote.com | tcp |
| US | 8.8.8.8:53 | campinglaforetdetesse.com | udp |
| NL | 35.204.115.119:443 | campinglaforetdetesse.com | tcp |
| NL | 35.204.115.119:443 | campinglaforetdetesse.com | tcp |
| US | 8.8.8.8:53 | texanscan.org | udp |
| US | 151.101.2.159:443 | texanscan.org | tcp |
| US | 151.101.2.159:443 | texanscan.org | tcp |
| US | 8.8.8.8:53 | bd2fly.com | udp |
| DE | 52.28.116.69:443 | bd2fly.com | tcp |
| US | 8.8.8.8:53 | scietech.academy | udp |
| US | 173.199.130.40:443 | scietech.academy | tcp |
| US | 173.199.130.40:443 | scietech.academy | tcp |
| US | 8.8.8.8:53 | ocduiblog.com | udp |
| VN | 202.92.5.151:443 | ocduiblog.com | tcp |
| VN | 202.92.5.151:443 | ocduiblog.com | tcp |
| US | 8.8.8.8:53 | jobkiwi.com.ng | udp |
| DE | 139.162.168.84:443 | jobkiwi.com.ng | tcp |
| DE | 139.162.168.84:443 | jobkiwi.com.ng | tcp |
| US | 8.8.8.8:53 | brinkdoepke.eu | udp |
| DE | 134.119.253.108:443 | brinkdoepke.eu | tcp |
| DE | 134.119.253.108:443 | brinkdoepke.eu | tcp |
| US | 8.8.8.8:53 | solidhosting.nl | udp |
| NL | 37.97.218.27:443 | solidhosting.nl | tcp |
| US | 8.8.8.8:53 | www.solidhosting.nl | udp |
| NL | 37.97.218.27:443 | www.solidhosting.nl | tcp |
| US | 8.8.8.8:53 | dayenne-styling.nl | udp |
| NL | 95.170.72.149:443 | dayenne-styling.nl | tcp |
| NL | 95.170.72.149:443 | dayenne-styling.nl | tcp |
| DK | 93.191.156.146:443 | andreaskildegaard.dk | tcp |
| DK | 93.191.156.146:443 | andreaskildegaard.dk | tcp |
| US | 8.8.8.8:53 | advancedeyecare.com | udp |
| US | 66.228.32.51:443 | advancedeyecare.com | tcp |
| US | 66.228.32.51:443 | advancedeyecare.com | tcp |
| US | 8.8.8.8:53 | amco.net.au | udp |
| US | 172.67.69.122:443 | amco.net.au | tcp |
| US | 8.8.8.8:53 | tanatek.com | udp |
| CA | 198.50.129.250:443 | tanatek.com | tcp |
| CA | 198.50.129.250:443 | tanatek.com | tcp |
| US | 8.8.8.8:53 | casinodepositors.com | udp |
| US | 104.21.26.187:443 | casinodepositors.com | tcp |
| US | 8.8.8.8:53 | tradenavigator.ch | udp |
| CH | 149.126.4.16:443 | tradenavigator.ch | tcp |
| CH | 149.126.4.16:443 | tradenavigator.ch | tcp |
| US | 8.8.8.8:53 | xn--ziinoapte-6ld.ro | udp |
| RO | 128.0.41.75:443 | xn--ziinoapte-6ld.ro | tcp |
| RO | 128.0.41.75:443 | xn--ziinoapte-6ld.ro | tcp |
| US | 8.8.8.8:53 | altitudeboise.com | udp |
| US | 148.62.54.20:443 | altitudeboise.com | tcp |
| US | 8.8.8.8:53 | xn--billigafrgpatroner-stb.se | udp |
| SE | 185.189.49.220:443 | xn--billigafrgpatroner-stb.se | tcp |
| US | 8.8.8.8:53 | glennverschueren.be | udp |
| US | 99.83.190.102:443 | glennverschueren.be | tcp |
| US | 99.83.190.102:443 | glennverschueren.be | tcp |
| US | 8.8.8.8:53 | keyboardjournal.com | udp |
| US | 198.71.233.206:443 | keyboardjournal.com | tcp |
| US | 198.71.233.206:443 | keyboardjournal.com | tcp |
| US | 8.8.8.8:53 | hm-com.com | udp |
| US | 50.87.198.148:443 | hm-com.com | tcp |
| US | 50.87.198.148:443 | hm-com.com | tcp |
| US | 8.8.8.8:53 | arearugcleaningnyc.com | udp |
| US | 108.178.17.142:443 | arearugcleaningnyc.com | tcp |
| US | 108.178.17.142:443 | arearugcleaningnyc.com | tcp |
| US | 8.8.8.8:53 | fysiotherapierijnmond.nl | udp |
| NL | 149.210.155.99:443 | fysiotherapierijnmond.nl | tcp |
| US | 8.8.8.8:53 | buffdaddyblog.com | udp |
| US | 104.21.56.192:443 | buffdaddyblog.com | tcp |
| US | 8.8.8.8:53 | www.buffdaddyblog.com | udp |
| US | 172.67.155.207:443 | www.buffdaddyblog.com | tcp |
| US | 8.8.8.8:53 | dr-vita.de | udp |
| DE | 46.253.242.205:443 | dr-vita.de | tcp |
| DE | 46.253.242.205:443 | dr-vita.de | tcp |
| US | 8.8.8.8:53 | profibersan.com | udp |
| TR | 213.159.29.43:443 | profibersan.com | tcp |
| TR | 213.159.29.43:443 | profibersan.com | tcp |
| US | 8.8.8.8:53 | wirmuessenreden.com | udp |
| DE | 178.77.83.248:443 | wirmuessenreden.com | tcp |
| DE | 178.77.83.248:443 | wirmuessenreden.com | tcp |
| US | 8.8.8.8:53 | secrets-clubs.co.uk | udp |
| GB | 185.199.220.35:443 | secrets-clubs.co.uk | tcp |
| GB | 185.199.220.35:443 | secrets-clubs.co.uk | tcp |
| US | 8.8.8.8:53 | greatofficespaces.net | udp |
| US | 35.209.165.189:443 | greatofficespaces.net | tcp |
| US | 35.209.165.189:443 | greatofficespaces.net | tcp |
| US | 8.8.8.8:53 | campusescalade.com | udp |
| US | 172.104.6.240:443 | campusescalade.com | tcp |
| US | 8.8.8.8:53 | biketruck.de | udp |
| DK | 77.111.240.1:443 | biketruck.de | tcp |
| DK | 77.111.240.1:443 | biketruck.de | tcp |
| US | 8.8.8.8:53 | cmascd.com | udp |
| US | 8.8.8.8:53 | kookooo.com | udp |
| RU | 92.53.96.236:443 | kookooo.com | tcp |
| RU | 92.53.96.236:443 | kookooo.com | tcp |
| US | 8.8.8.8:53 | scholarquotes.com | udp |
| US | 104.248.69.181:443 | scholarquotes.com | tcp |
| US | 8.8.8.8:53 | apmollerpension.com | udp |
| DK | 94.231.103.53:443 | apmollerpension.com | tcp |
| DK | 94.231.103.53:443 | apmollerpension.com | tcp |
| US | 8.8.8.8:53 | haus-landliebe.de | udp |
| DE | 89.31.143.1:443 | haus-landliebe.de | tcp |
| US | 8.8.8.8:53 | azerbaycanas.com | udp |
| US | 8.8.8.8:53 | inewsstar.com | udp |
| US | 52.86.6.113:443 | inewsstar.com | tcp |
| US | 3.94.41.167:443 | inewsstar.com | tcp |
| US | 8.8.8.8:53 | nauticmarine.dk | udp |
| DK | 185.221.38.106:443 | nauticmarine.dk | tcp |
| DK | 185.221.38.106:443 | nauticmarine.dk | tcp |
| US | 8.8.8.8:53 | burg-zelem.de | udp |
| FR | 93.187.234.36:443 | burg-zelem.de | tcp |
| FR | 93.187.234.36:443 | burg-zelem.de | tcp |
| US | 8.8.8.8:53 | angeleyezstripclub.com | udp |
| US | 188.114.97.0:443 | angeleyezstripclub.com | tcp |
| US | 8.8.8.8:53 | auto-opel.ro | udp |
| RO | 185.165.185.192:443 | auto-opel.ro | tcp |
| RO | 185.165.185.192:443 | auto-opel.ro | tcp |
| US | 8.8.8.8:53 | rizplakatjaya.com | udp |
| US | 188.114.97.0:443 | rizplakatjaya.com | tcp |
| US | 8.8.8.8:53 | otpusk.zp.ua | udp |
| US | 104.21.4.65:443 | otpusk.zp.ua | tcp |
| US | 8.8.8.8:53 | koncept-m.ru | udp |
| RU | 92.53.98.156:443 | koncept-m.ru | tcp |
| RU | 92.53.98.156:443 | koncept-m.ru | tcp |
| US | 8.8.8.8:53 | poems-for-the-soul.ch | udp |
| CH | 83.166.138.21:443 | poems-for-the-soul.ch | tcp |
| CH | 83.166.138.21:443 | poems-for-the-soul.ch | tcp |
| US | 8.8.8.8:53 | jglconsultancy.com | udp |
| US | 8.8.8.8:53 | trainiumacademy.com | udp |
| SG | 35.213.151.161:443 | trainiumacademy.com | tcp |
| SG | 35.213.151.161:443 | trainiumacademy.com | tcp |
| US | 8.8.8.8:53 | lexced.com | udp |
| DE | 84.19.190.23:443 | lexced.com | tcp |
| DE | 84.19.190.23:443 | lexced.com | tcp |
| US | 8.8.8.8:53 | powershell.su | udp |
| DE | 54.38.34.173:443 | powershell.su | tcp |
| DE | 54.38.34.173:443 | powershell.su | tcp |
| US | 8.8.8.8:53 | profiz.com | udp |
| FI | 31.217.192.121:443 | profiz.com | tcp |
| FI | 31.217.192.121:443 | profiz.com | tcp |
| US | 8.8.8.8:53 | apogeeconseils.fr | udp |
| FR | 78.40.9.66:443 | apogeeconseils.fr | tcp |
| FR | 78.40.9.66:443 | apogeeconseils.fr | tcp |
| US | 8.8.8.8:53 | bluelakevision.com | udp |
| NL | 185.37.70.54:443 | bluelakevision.com | tcp |
| NL | 185.37.70.54:443 | bluelakevision.com | tcp |
| US | 8.8.8.8:53 | pinthelook.com | udp |
| US | 35.209.239.115:443 | pinthelook.com | tcp |
| US | 35.209.239.115:443 | pinthelook.com | tcp |
| US | 8.8.8.8:53 | saberconcrete.com | udp |
| US | 50.62.194.59:443 | saberconcrete.com | tcp |
| US | 50.62.194.59:443 | saberconcrete.com | tcp |
| US | 8.8.8.8:53 | dennisverschuur.com | udp |
| DK | 46.30.215.120:443 | dennisverschuur.com | tcp |
| DK | 46.30.215.120:443 | dennisverschuur.com | tcp |
| US | 8.8.8.8:53 | nepressurecleaning.com | udp |
| US | 166.62.114.250:443 | nepressurecleaning.com | tcp |
| US | 166.62.114.250:443 | nepressurecleaning.com | tcp |
| US | 8.8.8.8:53 | eyedoctordallas.com | udp |
| US | 15.197.142.173:443 | eyedoctordallas.com | tcp |
Files
memory/1224-55-0x00000000760F1000-0x00000000760F3000-memory.dmp
memory/1224-57-0x0000000000D30000-0x0000000000DCF000-memory.dmp
memory/1224-58-0x0000000000DD0000-0x0000000000EFD000-memory.dmp
memory/1224-62-0x0000000000410000-0x0000000000411000-memory.dmp
memory/1224-61-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/1224-60-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1224-59-0x00000000001E0000-0x00000000001EA000-memory.dmp
memory/1224-63-0x0000000000450000-0x000000000046F000-memory.dmp
memory/1224-64-0x0000000001190000-0x0000000001299000-memory.dmp
memory/1224-65-0x0000000000420000-0x0000000000426000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-30 08:00
Reported
2022-01-30 08:04
Platform
win10-en-20211208
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\users\admin\pictures\ExportTest.tiff | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertToSwitch.crw => \??\c:\users\admin\pictures\ConvertToSwitch.crw.1s97fi8p | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DisconnectRepair.raw => \??\c:\users\admin\pictures\DisconnectRepair.raw.1s97fi8p | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExportTest.tiff => \??\c:\users\admin\pictures\ExportTest.tiff.1s97fi8p | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MoveResume.tif => \??\c:\users\admin\pictures\MoveResume.tif.1s97fi8p | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UndoConfirm.raw => \??\c:\users\admin\pictures\UndoConfirm.raw.1s97fi8p | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\AddExport.crw => \??\c:\users\admin\pictures\AddExport.crw.1s97fi8p | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BlockStep.crw => \??\c:\users\admin\pictures\BlockStep.crw.1s97fi8p | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertConnect.png => \??\c:\users\admin\pictures\ConvertConnect.png.1s97fi8p | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InstallUnblock.raw => \??\c:\users\admin\pictures\InstallUnblock.raw.1s97fi8p | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PopGrant.raw => \??\c:\users\admin\pictures\PopGrant.raw.1s97fi8p | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PopInitialize.crw => \??\c:\users\admin\pictures\PopInitialize.crw.1s97fi8p | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\l42no5h.bmp" | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2308 wrote to memory of 2344 | N/A | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2308 wrote to memory of 2344 | N/A | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2308 wrote to memory of 2344 | N/A | C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2344 wrote to memory of 996 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 2344 wrote to memory of 996 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
| PID 2344 wrote to memory of 996 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\vssadmin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe
"C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lesyeuxbleus.net | udp |
| FR | 46.105.57.169:443 | lesyeuxbleus.net | tcp |
| US | 8.8.8.8:53 | expohomes.com | udp |
| US | 188.114.97.0:443 | expohomes.com | tcp |
| US | 8.8.8.8:53 | asiaartgallery.jp | udp |
| JP | 162.43.117.14:443 | asiaartgallery.jp | tcp |
| US | 8.8.8.8:53 | gsconcretecoatings.com | udp |
| US | 34.102.136.180:443 | gsconcretecoatings.com | tcp |
| US | 34.102.136.180:443 | gsconcretecoatings.com | tcp |
| US | 34.102.136.180:443 | gsconcretecoatings.com | tcp |
| US | 34.102.136.180:443 | gsconcretecoatings.com | tcp |
| US | 8.8.8.8:53 | gratiocafeblog.wordpress.com | udp |
| US | 192.0.78.12:443 | gratiocafeblog.wordpress.com | tcp |
| US | 8.8.8.8:53 | tramadolhealth.com | udp |
| US | 104.21.47.153:443 | tramadolhealth.com | tcp |
| US | 8.8.8.8:53 | ntinasfiloxenia.gr | udp |
| FI | 95.216.12.233:443 | ntinasfiloxenia.gr | tcp |
| US | 8.8.8.8:53 | handyman-silkeborg.dk | udp |
| DK | 185.21.41.51:443 | handyman-silkeborg.dk | tcp |
| US | 8.8.8.8:53 | mangimirossana.it | udp |
| DE | 80.240.20.142:443 | mangimirossana.it | tcp |
| US | 8.8.8.8:53 | pourlabretagne.bzh | udp |
| FR | 135.125.16.232:443 | pourlabretagne.bzh | tcp |
| US | 8.8.8.8:53 | mazift.dk | udp |
| DK | 185.21.41.124:443 | mazift.dk | tcp |
| US | 8.8.8.8:53 | nvisionsigns.com | udp |
| US | 34.102.136.180:443 | nvisionsigns.com | tcp |
| US | 34.102.136.180:443 | nvisionsigns.com | tcp |
| US | 34.102.136.180:443 | nvisionsigns.com | tcp |
| US | 34.102.136.180:443 | nvisionsigns.com | tcp |
| US | 8.8.8.8:53 | radishallgood.com | udp |
| GB | 167.99.94.233:443 | radishallgood.com | tcp |
| US | 8.8.8.8:53 | teethinadaydentalimplants.com | udp |
| US | 34.102.136.180:443 | teethinadaydentalimplants.com | tcp |
| US | 34.102.136.180:443 | teethinadaydentalimplants.com | tcp |
| US | 34.102.136.180:443 | teethinadaydentalimplants.com | tcp |
| US | 34.102.136.180:443 | teethinadaydentalimplants.com | tcp |
| US | 8.8.8.8:53 | pxsrl.it | udp |
| IT | 195.182.210.190:443 | pxsrl.it | tcp |
| US | 8.8.8.8:53 | mjk.digital | udp |
| DE | 83.138.86.102:443 | mjk.digital | tcp |
| US | 8.8.8.8:53 | innovationgames-brabant.nl | udp |
| US | 8.8.8.8:53 | slideevents.be | udp |
| DE | 51.89.7.228:443 | slideevents.be | tcp |
| US | 8.8.8.8:53 | modamarfil.com | udp |
| US | 138.128.178.242:443 | modamarfil.com | tcp |
| US | 8.8.8.8:53 | 5thactors.com | udp |
| ES | 134.0.10.32:443 | 5thactors.com | tcp |
| US | 8.8.8.8:53 | qrs-international.com | udp |
| CH | 194.56.189.177:443 | qrs-international.com | tcp |
| US | 8.8.8.8:53 | cesep2019.com | udp |
| US | 8.8.8.8:53 | qrs-international.com | udp |
| US | 8.8.8.8:53 | voetbalhoogeveen.nl | udp |
| US | 8.8.8.8:53 | verbouwingsdouche.nl | udp |
| NL | 185.27.141.176:443 | verbouwingsdouche.nl | tcp |
| US | 8.8.8.8:53 | uncensoredhentaigif.com | udp |
| US | 104.21.35.206:443 | uncensoredhentaigif.com | tcp |
| US | 8.8.8.8:53 | rossomattonecase.it | udp |
| IT | 185.81.4.85:443 | rossomattonecase.it | tcp |
| US | 8.8.8.8:53 | oththukaruva.com | udp |
| NL | 185.107.56.200:443 | oththukaruva.com | tcp |
| US | 8.8.8.8:53 | richardkershawwines.co.za | udp |
| ZA | 156.38.238.98:443 | richardkershawwines.co.za | tcp |
| US | 8.8.8.8:53 | gbk-tp1.de | udp |
| DE | 139.162.147.231:443 | gbk-tp1.de | tcp |
| US | 8.8.8.8:53 | diakonie-weitramsdorf-sesslach.de | udp |
| DE | 37.218.255.162:443 | diakonie-weitramsdorf-sesslach.de | tcp |
| US | 8.8.8.8:53 | zinnystar.com | udp |
| US | 206.237.169.36:443 | zinnystar.com | tcp |
| US | 8.8.8.8:53 | rename.kz | udp |
| KZ | 195.210.46.115:443 | rename.kz | tcp |
| US | 8.8.8.8:53 | min-virksomhed.dk | udp |
| DK | 94.231.106.195:443 | min-virksomhed.dk | tcp |
| US | 8.8.8.8:53 | pisofare.co | udp |
| US | 104.21.52.108:443 | pisofare.co | tcp |
| US | 8.8.8.8:53 | daveystownhouse.com | udp |
| DE | 85.214.155.19:443 | daveystownhouse.com | tcp |
| US | 8.8.8.8:53 | kickittickets.com | udp |
| US | 35.209.160.138:443 | kickittickets.com | tcp |
| US | 8.8.8.8:53 | unexplored.gr | udp |
| DE | 94.130.143.52:443 | unexplored.gr | tcp |
| US | 8.8.8.8:53 | mesajjongeren.nl | udp |
| DK | 77.111.240.151:443 | mesajjongeren.nl | tcp |
| US | 8.8.8.8:53 | jayfurnitureco.com | udp |
| US | 108.167.161.213:443 | jayfurnitureco.com | tcp |
| US | 8.8.8.8:53 | insane.agency | udp |
| PL | 195.242.92.8:443 | insane.agency | tcp |
| US | 8.8.8.8:53 | corporacionrr.com | udp |
| JP | 133.167.67.65:443 | corporacionrr.com | tcp |
| US | 8.8.8.8:53 | scentedlair.com | udp |
| US | 185.230.63.171:443 | scentedlair.com | tcp |
| US | 8.8.8.8:53 | tatyanakopieva.ru | udp |
| RU | 77.222.61.24:443 | tatyanakopieva.ru | tcp |
| US | 8.8.8.8:53 | o2o-academy.com | udp |
| SG | 35.213.183.205:443 | o2o-academy.com | tcp |
| US | 8.8.8.8:53 | bluetenreich-brilon.de | udp |
| DE | 37.218.254.106:443 | bluetenreich-brilon.de | tcp |
| US | 8.8.8.8:53 | www.bluetenreich-brilon.de | udp |
| DE | 37.218.254.106:443 | www.bluetenreich-brilon.de | tcp |
| US | 8.8.8.8:53 | aceroprime.com | udp |
| US | 104.18.28.32:443 | aceroprime.com | tcp |
| US | 8.8.8.8:53 | descargandoprogramas.com | udp |
| US | 8.8.8.8:53 | lovcase.com | udp |
| US | 8.8.8.8:53 | curtsdiscountguns.com | udp |
| US | 104.21.30.221:443 | curtsdiscountguns.com | tcp |
| US | 8.8.8.8:53 | c-sprop.com | udp |
| US | 23.236.62.147:443 | c-sprop.com | tcp |
| US | 8.8.8.8:53 | plbinsurance.com | udp |
| US | 54.210.110.253:443 | plbinsurance.com | tcp |
| US | 8.8.8.8:53 | chatberlin.de | udp |
| DE | 85.214.200.228:443 | chatberlin.de | tcp |
| US | 8.8.8.8:53 | linkbuilding.life | udp |
| US | 8.8.8.8:53 | projektparkiet.pl | udp |
| US | 172.67.167.41:443 | projektparkiet.pl | tcp |
| US | 8.8.8.8:53 | alaskaremote.com | udp |
| US | 34.237.37.253:443 | alaskaremote.com | tcp |
| US | 8.8.8.8:53 | campinglaforetdetesse.com | udp |
| NL | 35.204.115.119:443 | campinglaforetdetesse.com | tcp |
| US | 8.8.8.8:53 | texanscan.org | udp |
| US | 151.101.2.159:443 | texanscan.org | tcp |
| US | 8.8.8.8:53 | bd2fly.com | udp |
| DE | 52.28.116.69:443 | bd2fly.com | tcp |
| US | 8.8.8.8:53 | scietech.academy | udp |
| US | 173.199.130.40:443 | scietech.academy | tcp |
| US | 8.8.8.8:53 | ocduiblog.com | udp |
| VN | 202.92.5.151:443 | ocduiblog.com | tcp |
| US | 8.8.8.8:53 | jobkiwi.com.ng | udp |
| DE | 139.162.168.84:443 | jobkiwi.com.ng | tcp |
| US | 8.8.8.8:53 | brinkdoepke.eu | udp |
| DE | 134.119.253.108:443 | brinkdoepke.eu | tcp |
| US | 8.8.8.8:53 | solidhosting.nl | udp |
| NL | 37.97.218.27:443 | solidhosting.nl | tcp |
| US | 8.8.8.8:53 | dayenne-styling.nl | udp |
| NL | 95.170.72.149:443 | dayenne-styling.nl | tcp |
| US | 8.8.8.8:53 | andreaskildegaard.dk | udp |
| DK | 93.191.156.146:443 | andreaskildegaard.dk | tcp |
| US | 8.8.8.8:53 | advancedeyecare.com | udp |
| US | 66.228.32.51:443 | advancedeyecare.com | tcp |
| US | 8.8.8.8:53 | amco.net.au | udp |
| US | 172.67.69.122:443 | amco.net.au | tcp |
| US | 8.8.8.8:53 | tanatek.com | udp |
| CA | 198.50.129.250:443 | tanatek.com | tcp |
| US | 8.8.8.8:53 | casinodepositors.com | udp |
| US | 172.67.138.91:443 | casinodepositors.com | tcp |
| US | 8.8.8.8:53 | tradenavigator.ch | udp |
| CH | 149.126.4.16:443 | tradenavigator.ch | tcp |
| US | 8.8.8.8:53 | xn--ziinoapte-6ld.ro | udp |
| RO | 128.0.41.75:443 | xn--ziinoapte-6ld.ro | tcp |
| US | 8.8.8.8:53 | altitudeboise.com | udp |
| US | 148.62.54.20:443 | altitudeboise.com | tcp |
| US | 8.8.8.8:53 | www.altitudetrampolinepark.com | udp |
| US | 148.62.54.22:443 | www.altitudetrampolinepark.com | tcp |
| US | 8.8.8.8:53 | xn--billigafrgpatroner-stb.se | udp |
| SE | 185.189.49.220:443 | xn--billigafrgpatroner-stb.se | tcp |
| US | 8.8.8.8:53 | glennverschueren.be | udp |
| US | 99.83.190.102:443 | glennverschueren.be | tcp |
| US | 8.8.8.8:53 | www.glennverschueren.be | udp |
| US | 34.197.10.15:443 | www.glennverschueren.be | tcp |
| US | 8.8.8.8:53 | keyboardjournal.com | udp |
| US | 198.71.233.206:443 | keyboardjournal.com | tcp |
| US | 8.8.8.8:53 | hm-com.com | udp |
| US | 50.87.198.148:443 | hm-com.com | tcp |
| US | 8.8.8.8:53 | arearugcleaningnyc.com | udp |
| US | 108.178.17.142:443 | arearugcleaningnyc.com | tcp |
| US | 8.8.8.8:53 | fysiotherapierijnmond.nl | udp |
| NL | 149.210.155.99:443 | fysiotherapierijnmond.nl | tcp |
| US | 8.8.8.8:53 | buffdaddyblog.com | udp |
| US | 172.67.155.207:443 | buffdaddyblog.com | tcp |
| US | 8.8.8.8:53 | www.buffdaddyblog.com | udp |
| US | 172.67.155.207:443 | www.buffdaddyblog.com | tcp |
| US | 8.8.8.8:53 | dr-vita.de | udp |
| DE | 46.253.242.205:443 | dr-vita.de | tcp |
| US | 8.8.8.8:53 | www.dr-vita.de | udp |
| DE | 46.253.242.205:443 | www.dr-vita.de | tcp |
| US | 8.8.8.8:53 | profibersan.com | udp |
| TR | 213.159.29.43:443 | profibersan.com | tcp |
| US | 8.8.8.8:53 | wirmuessenreden.com | udp |
| DE | 178.77.83.248:443 | wirmuessenreden.com | tcp |
| US | 8.8.8.8:53 | secrets-clubs.co.uk | udp |
| GB | 185.199.220.35:443 | secrets-clubs.co.uk | tcp |
| US | 8.8.8.8:53 | greatofficespaces.net | udp |
| US | 35.209.165.189:443 | greatofficespaces.net | tcp |
| US | 8.8.8.8:53 | campusescalade.com | udp |
| US | 172.104.6.240:443 | campusescalade.com | tcp |
| US | 8.8.8.8:53 | biketruck.de | udp |
| DK | 77.111.240.1:443 | biketruck.de | tcp |
| US | 8.8.8.8:53 | cmascd.com | udp |
| US | 8.8.8.8:53 | kookooo.com | udp |
| RU | 92.53.96.236:443 | kookooo.com | tcp |
| US | 8.8.8.8:53 | scholarquotes.com | udp |
| US | 104.248.69.181:443 | scholarquotes.com | tcp |
| US | 8.8.8.8:53 | apmollerpension.com | udp |
| DK | 94.231.103.53:443 | apmollerpension.com | tcp |
| US | 8.8.8.8:53 | haus-landliebe.de | udp |
| DE | 89.31.143.1:443 | haus-landliebe.de | tcp |
| US | 8.8.8.8:53 | azerbaycanas.com | udp |
| US | 8.8.8.8:53 | inewsstar.com | udp |
| US | 3.18.7.81:443 | inewsstar.com | tcp |
Files
memory/2308-115-0x0000000000F90000-0x0000000000FB3000-memory.dmp
memory/2308-116-0x0000000000F90000-0x0000000000FB3000-memory.dmp
memory/2308-117-0x0000000000F90000-0x0000000000FB3000-memory.dmp
memory/2308-118-0x00000000013C0000-0x00000000013C1000-memory.dmp
memory/2308-119-0x0000000002F00000-0x0000000002F06000-memory.dmp