Malware Analysis Report

2025-01-18 19:20

Sample ID 220130-jv6zeshge6
Target 158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce
SHA256 158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce
Tags
sodinokibi ransomware 19 312
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce

Threat Level: Known bad

The file 158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce was found to be: Known bad.

Malicious Activity Summary

sodinokibi ransomware 19 312

Sodin,Sodinokibi,REvil

Sodinokibi/Revil sample

Sodinokibi family

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Modifies system certificate store

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-30 08:00

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-30 08:00

Reported

2022-01-30 08:04

Platform

win7-en-20211208

Max time kernel

133s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification \??\c:\users\admin\pictures\PushCompress.tiff C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\DebugEdit.raw => \??\c:\users\admin\pictures\DebugEdit.raw.608113r0 C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\MoveInvoke.raw => \??\c:\users\admin\pictures\MoveInvoke.raw.608113r0 C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\PushCompress.tiff => \??\c:\users\admin\pictures\PushCompress.tiff.608113r0 C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\SaveRestore.png => \??\c:\users\admin\pictures\SaveRestore.png.608113r0 C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\UseRestart.png => \??\c:\users\admin\pictures\UseRestart.png.608113r0 C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\966s3.bmp" C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\microsoft sql server compact edition\62161c73.lock C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\608113r0-readme.txt C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\BackupWait.001 C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlcecompact35.dll C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\RepairCopy.lnk C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\HideTest.html C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\MeasureUnpublish.aiff C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceqp35.dll C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File created \??\c:\program files\62161c73.lock C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\62161c73.lock C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceme35.dll C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceoledb35.dll C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File created \??\c:\program files\608113r0-readme.txt C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceca35.dll C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\AddSync.shtml C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\NewBackup.lnk C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\SetRepair.xlt C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\608113r0-readme.txt C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\62161c73.lock C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlcese35.dll C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\GroupResolve.mp4 C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\CheckpointClear.ppsx C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\608113r0-readme.txt C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File created \??\c:\program files (x86)\608113r0-readme.txt C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\ApproveInitialize.pptm C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\ConvertToRemove.MTS C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\DisconnectUnlock.svg C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\RenameDisconnect.m4a C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceer35EN.dll C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File created \??\c:\program files (x86)\62161c73.lock C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe

"C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lesyeuxbleus.net udp
FR 46.105.57.169:443 lesyeuxbleus.net tcp
US 8.8.8.8:53 expohomes.com udp
US 188.114.97.0:443 expohomes.com tcp
US 8.8.8.8:53 asiaartgallery.jp udp
JP 162.43.117.14:443 asiaartgallery.jp tcp
JP 162.43.117.14:443 asiaartgallery.jp tcp
US 8.8.8.8:53 gsconcretecoatings.com udp
US 34.102.136.180:443 gsconcretecoatings.com tcp
US 34.102.136.180:443 gsconcretecoatings.com tcp
US 8.8.8.8:53 gratiocafeblog.wordpress.com udp
US 192.0.78.12:443 gratiocafeblog.wordpress.com tcp
US 192.0.78.12:443 gratiocafeblog.wordpress.com tcp
US 8.8.8.8:53 tramadolhealth.com udp
US 104.21.47.153:443 tramadolhealth.com tcp
US 8.8.8.8:53 ntinasfiloxenia.gr udp
FI 95.216.12.233:443 ntinasfiloxenia.gr tcp
FI 95.216.12.233:443 ntinasfiloxenia.gr tcp
US 8.8.8.8:53 handyman-silkeborg.dk udp
DK 185.21.41.51:443 handyman-silkeborg.dk tcp
DK 185.21.41.51:443 handyman-silkeborg.dk tcp
US 8.8.8.8:53 mangimirossana.it udp
DE 80.240.20.142:443 mangimirossana.it tcp
US 8.8.8.8:53 pourlabretagne.bzh udp
FR 135.125.16.232:443 pourlabretagne.bzh tcp
FR 135.125.16.232:443 pourlabretagne.bzh tcp
US 8.8.8.8:53 mazift.dk udp
DK 185.21.41.124:443 mazift.dk tcp
US 8.8.8.8:53 nvisionsigns.com udp
US 34.102.136.180:443 nvisionsigns.com tcp
US 34.102.136.180:443 nvisionsigns.com tcp
US 8.8.8.8:53 radishallgood.com udp
GB 167.99.94.233:443 radishallgood.com tcp
US 8.8.8.8:53 teethinadaydentalimplants.com udp
US 34.102.136.180:443 teethinadaydentalimplants.com tcp
US 34.102.136.180:443 teethinadaydentalimplants.com tcp
US 8.8.8.8:53 pxsrl.it udp
IT 195.182.210.190:443 pxsrl.it tcp
US 8.8.8.8:53 mjk.digital udp
DE 83.138.86.102:443 mjk.digital tcp
DE 83.138.86.102:443 mjk.digital tcp
US 8.8.8.8:53 innovationgames-brabant.nl udp
US 8.8.8.8:53 slideevents.be udp
DE 51.89.7.228:443 slideevents.be tcp
DE 51.89.7.228:443 slideevents.be tcp
US 8.8.8.8:53 modamarfil.com udp
US 138.128.178.242:443 modamarfil.com tcp
US 138.128.178.242:443 modamarfil.com tcp
US 8.8.8.8:53 5thactors.com udp
ES 134.0.10.32:443 5thactors.com tcp
ES 134.0.10.32:443 5thactors.com tcp
US 8.8.8.8:53 qrs-international.com udp
CH 194.56.189.177:443 qrs-international.com tcp
CH 194.56.189.177:443 qrs-international.com tcp
US 8.8.8.8:53 cesep2019.com udp
US 8.8.8.8:53 voetbalhoogeveen.nl udp
US 8.8.8.8:53 verbouwingsdouche.nl udp
NL 185.27.141.176:443 verbouwingsdouche.nl tcp
NL 185.27.141.176:443 verbouwingsdouche.nl tcp
US 8.8.8.8:53 uncensoredhentaigif.com udp
US 172.67.179.145:443 uncensoredhentaigif.com tcp
US 8.8.8.8:53 rossomattonecase.it udp
IT 185.81.4.85:443 rossomattonecase.it tcp
IT 185.81.4.85:443 rossomattonecase.it tcp
US 8.8.8.8:53 oththukaruva.com udp
NL 37.48.65.152:443 oththukaruva.com tcp
NL 37.48.65.152:443 oththukaruva.com tcp
US 8.8.8.8:53 richardkershawwines.co.za udp
ZA 156.38.238.98:443 richardkershawwines.co.za tcp
ZA 156.38.238.98:443 richardkershawwines.co.za tcp
US 8.8.8.8:53 gbk-tp1.de udp
DE 139.162.147.231:443 gbk-tp1.de tcp
US 8.8.8.8:53 diakonie-weitramsdorf-sesslach.de udp
DE 37.218.255.162:443 diakonie-weitramsdorf-sesslach.de tcp
DE 37.218.255.162:443 diakonie-weitramsdorf-sesslach.de tcp
US 8.8.8.8:53 zinnystar.com udp
US 206.237.169.36:443 zinnystar.com tcp
US 8.8.8.8:53 rename.kz udp
KZ 195.210.46.115:443 rename.kz tcp
US 8.8.8.8:53 min-virksomhed.dk udp
DK 94.231.106.195:443 min-virksomhed.dk tcp
DK 94.231.106.195:443 min-virksomhed.dk tcp
US 8.8.8.8:53 pisofare.co udp
US 104.21.52.108:443 pisofare.co tcp
US 8.8.8.8:53 daveystownhouse.com udp
DE 85.214.155.19:443 daveystownhouse.com tcp
DE 85.214.155.19:443 daveystownhouse.com tcp
US 8.8.8.8:53 kickittickets.com udp
US 35.209.160.138:443 kickittickets.com tcp
US 35.209.160.138:443 kickittickets.com tcp
US 8.8.8.8:53 unexplored.gr udp
DE 94.130.143.52:443 unexplored.gr tcp
DE 94.130.143.52:443 unexplored.gr tcp
US 8.8.8.8:53 mesajjongeren.nl udp
DK 77.111.240.151:443 mesajjongeren.nl tcp
DK 77.111.240.151:443 mesajjongeren.nl tcp
US 8.8.8.8:53 jayfurnitureco.com udp
US 108.167.161.213:443 jayfurnitureco.com tcp
US 108.167.161.213:443 jayfurnitureco.com tcp
US 8.8.8.8:53 insane.agency udp
PL 195.242.92.8:443 insane.agency tcp
US 8.8.8.8:53 corporacionrr.com udp
JP 133.167.67.65:443 corporacionrr.com tcp
US 8.8.8.8:53 scentedlair.com udp
US 185.230.63.171:443 scentedlair.com tcp
US 185.230.63.171:443 scentedlair.com tcp
US 8.8.8.8:53 tatyanakopieva.ru udp
RU 77.222.61.24:443 tatyanakopieva.ru tcp
US 8.8.8.8:53 o2o-academy.com udp
SG 35.213.183.205:443 o2o-academy.com tcp
SG 35.213.183.205:443 o2o-academy.com tcp
US 8.8.8.8:53 bluetenreich-brilon.de udp
DE 37.218.254.106:443 bluetenreich-brilon.de tcp
US 8.8.8.8:53 www.bluetenreich-brilon.de udp
DE 37.218.254.106:443 www.bluetenreich-brilon.de tcp
US 8.8.8.8:53 aceroprime.com udp
US 104.18.29.32:443 aceroprime.com tcp
US 8.8.8.8:53 descargandoprogramas.com udp
US 8.8.8.8:53 lovcase.com udp
US 8.8.8.8:53 curtsdiscountguns.com udp
US 172.67.173.224:443 curtsdiscountguns.com tcp
US 8.8.8.8:53 c-sprop.com udp
US 23.236.62.147:443 c-sprop.com tcp
US 23.236.62.147:443 c-sprop.com tcp
US 8.8.8.8:53 plbinsurance.com udp
US 54.210.110.253:443 plbinsurance.com tcp
US 54.210.110.253:443 plbinsurance.com tcp
US 8.8.8.8:53 chatberlin.de udp
DE 85.214.200.228:443 chatberlin.de tcp
US 8.8.8.8:53 www.chatberlin.de udp
DE 85.214.200.228:443 www.chatberlin.de tcp
US 8.8.8.8:53 linkbuilding.life udp
US 8.8.8.8:53 projektparkiet.pl udp
US 172.67.167.41:443 projektparkiet.pl tcp
US 8.8.8.8:53 alaskaremote.com udp
US 34.237.37.253:443 alaskaremote.com tcp
US 34.237.37.253:443 alaskaremote.com tcp
US 8.8.8.8:53 campinglaforetdetesse.com udp
NL 35.204.115.119:443 campinglaforetdetesse.com tcp
NL 35.204.115.119:443 campinglaforetdetesse.com tcp
US 8.8.8.8:53 texanscan.org udp
US 151.101.2.159:443 texanscan.org tcp
US 151.101.2.159:443 texanscan.org tcp
US 8.8.8.8:53 bd2fly.com udp
DE 52.28.116.69:443 bd2fly.com tcp
US 8.8.8.8:53 scietech.academy udp
US 173.199.130.40:443 scietech.academy tcp
US 173.199.130.40:443 scietech.academy tcp
US 8.8.8.8:53 ocduiblog.com udp
VN 202.92.5.151:443 ocduiblog.com tcp
VN 202.92.5.151:443 ocduiblog.com tcp
US 8.8.8.8:53 jobkiwi.com.ng udp
DE 139.162.168.84:443 jobkiwi.com.ng tcp
DE 139.162.168.84:443 jobkiwi.com.ng tcp
US 8.8.8.8:53 brinkdoepke.eu udp
DE 134.119.253.108:443 brinkdoepke.eu tcp
DE 134.119.253.108:443 brinkdoepke.eu tcp
US 8.8.8.8:53 solidhosting.nl udp
NL 37.97.218.27:443 solidhosting.nl tcp
US 8.8.8.8:53 www.solidhosting.nl udp
NL 37.97.218.27:443 www.solidhosting.nl tcp
US 8.8.8.8:53 dayenne-styling.nl udp
NL 95.170.72.149:443 dayenne-styling.nl tcp
NL 95.170.72.149:443 dayenne-styling.nl tcp
DK 93.191.156.146:443 andreaskildegaard.dk tcp
DK 93.191.156.146:443 andreaskildegaard.dk tcp
US 8.8.8.8:53 advancedeyecare.com udp
US 66.228.32.51:443 advancedeyecare.com tcp
US 66.228.32.51:443 advancedeyecare.com tcp
US 8.8.8.8:53 amco.net.au udp
US 172.67.69.122:443 amco.net.au tcp
US 8.8.8.8:53 tanatek.com udp
CA 198.50.129.250:443 tanatek.com tcp
CA 198.50.129.250:443 tanatek.com tcp
US 8.8.8.8:53 casinodepositors.com udp
US 104.21.26.187:443 casinodepositors.com tcp
US 8.8.8.8:53 tradenavigator.ch udp
CH 149.126.4.16:443 tradenavigator.ch tcp
CH 149.126.4.16:443 tradenavigator.ch tcp
US 8.8.8.8:53 xn--ziinoapte-6ld.ro udp
RO 128.0.41.75:443 xn--ziinoapte-6ld.ro tcp
RO 128.0.41.75:443 xn--ziinoapte-6ld.ro tcp
US 8.8.8.8:53 altitudeboise.com udp
US 148.62.54.20:443 altitudeboise.com tcp
US 8.8.8.8:53 xn--billigafrgpatroner-stb.se udp
SE 185.189.49.220:443 xn--billigafrgpatroner-stb.se tcp
US 8.8.8.8:53 glennverschueren.be udp
US 99.83.190.102:443 glennverschueren.be tcp
US 99.83.190.102:443 glennverschueren.be tcp
US 8.8.8.8:53 keyboardjournal.com udp
US 198.71.233.206:443 keyboardjournal.com tcp
US 198.71.233.206:443 keyboardjournal.com tcp
US 8.8.8.8:53 hm-com.com udp
US 50.87.198.148:443 hm-com.com tcp
US 50.87.198.148:443 hm-com.com tcp
US 8.8.8.8:53 arearugcleaningnyc.com udp
US 108.178.17.142:443 arearugcleaningnyc.com tcp
US 108.178.17.142:443 arearugcleaningnyc.com tcp
US 8.8.8.8:53 fysiotherapierijnmond.nl udp
NL 149.210.155.99:443 fysiotherapierijnmond.nl tcp
US 8.8.8.8:53 buffdaddyblog.com udp
US 104.21.56.192:443 buffdaddyblog.com tcp
US 8.8.8.8:53 www.buffdaddyblog.com udp
US 172.67.155.207:443 www.buffdaddyblog.com tcp
US 8.8.8.8:53 dr-vita.de udp
DE 46.253.242.205:443 dr-vita.de tcp
DE 46.253.242.205:443 dr-vita.de tcp
US 8.8.8.8:53 profibersan.com udp
TR 213.159.29.43:443 profibersan.com tcp
TR 213.159.29.43:443 profibersan.com tcp
US 8.8.8.8:53 wirmuessenreden.com udp
DE 178.77.83.248:443 wirmuessenreden.com tcp
DE 178.77.83.248:443 wirmuessenreden.com tcp
US 8.8.8.8:53 secrets-clubs.co.uk udp
GB 185.199.220.35:443 secrets-clubs.co.uk tcp
GB 185.199.220.35:443 secrets-clubs.co.uk tcp
US 8.8.8.8:53 greatofficespaces.net udp
US 35.209.165.189:443 greatofficespaces.net tcp
US 35.209.165.189:443 greatofficespaces.net tcp
US 8.8.8.8:53 campusescalade.com udp
US 172.104.6.240:443 campusescalade.com tcp
US 8.8.8.8:53 biketruck.de udp
DK 77.111.240.1:443 biketruck.de tcp
DK 77.111.240.1:443 biketruck.de tcp
US 8.8.8.8:53 cmascd.com udp
US 8.8.8.8:53 kookooo.com udp
RU 92.53.96.236:443 kookooo.com tcp
RU 92.53.96.236:443 kookooo.com tcp
US 8.8.8.8:53 scholarquotes.com udp
US 104.248.69.181:443 scholarquotes.com tcp
US 8.8.8.8:53 apmollerpension.com udp
DK 94.231.103.53:443 apmollerpension.com tcp
DK 94.231.103.53:443 apmollerpension.com tcp
US 8.8.8.8:53 haus-landliebe.de udp
DE 89.31.143.1:443 haus-landliebe.de tcp
US 8.8.8.8:53 azerbaycanas.com udp
US 8.8.8.8:53 inewsstar.com udp
US 52.86.6.113:443 inewsstar.com tcp
US 3.94.41.167:443 inewsstar.com tcp
US 8.8.8.8:53 nauticmarine.dk udp
DK 185.221.38.106:443 nauticmarine.dk tcp
DK 185.221.38.106:443 nauticmarine.dk tcp
US 8.8.8.8:53 burg-zelem.de udp
FR 93.187.234.36:443 burg-zelem.de tcp
FR 93.187.234.36:443 burg-zelem.de tcp
US 8.8.8.8:53 angeleyezstripclub.com udp
US 188.114.97.0:443 angeleyezstripclub.com tcp
US 8.8.8.8:53 auto-opel.ro udp
RO 185.165.185.192:443 auto-opel.ro tcp
RO 185.165.185.192:443 auto-opel.ro tcp
US 8.8.8.8:53 rizplakatjaya.com udp
US 188.114.97.0:443 rizplakatjaya.com tcp
US 8.8.8.8:53 otpusk.zp.ua udp
US 104.21.4.65:443 otpusk.zp.ua tcp
US 8.8.8.8:53 koncept-m.ru udp
RU 92.53.98.156:443 koncept-m.ru tcp
RU 92.53.98.156:443 koncept-m.ru tcp
US 8.8.8.8:53 poems-for-the-soul.ch udp
CH 83.166.138.21:443 poems-for-the-soul.ch tcp
CH 83.166.138.21:443 poems-for-the-soul.ch tcp
US 8.8.8.8:53 jglconsultancy.com udp
US 8.8.8.8:53 trainiumacademy.com udp
SG 35.213.151.161:443 trainiumacademy.com tcp
SG 35.213.151.161:443 trainiumacademy.com tcp
US 8.8.8.8:53 lexced.com udp
DE 84.19.190.23:443 lexced.com tcp
DE 84.19.190.23:443 lexced.com tcp
US 8.8.8.8:53 powershell.su udp
DE 54.38.34.173:443 powershell.su tcp
DE 54.38.34.173:443 powershell.su tcp
US 8.8.8.8:53 profiz.com udp
FI 31.217.192.121:443 profiz.com tcp
FI 31.217.192.121:443 profiz.com tcp
US 8.8.8.8:53 apogeeconseils.fr udp
FR 78.40.9.66:443 apogeeconseils.fr tcp
FR 78.40.9.66:443 apogeeconseils.fr tcp
US 8.8.8.8:53 bluelakevision.com udp
NL 185.37.70.54:443 bluelakevision.com tcp
NL 185.37.70.54:443 bluelakevision.com tcp
US 8.8.8.8:53 pinthelook.com udp
US 35.209.239.115:443 pinthelook.com tcp
US 35.209.239.115:443 pinthelook.com tcp
US 8.8.8.8:53 saberconcrete.com udp
US 50.62.194.59:443 saberconcrete.com tcp
US 50.62.194.59:443 saberconcrete.com tcp
US 8.8.8.8:53 dennisverschuur.com udp
DK 46.30.215.120:443 dennisverschuur.com tcp
DK 46.30.215.120:443 dennisverschuur.com tcp
US 8.8.8.8:53 nepressurecleaning.com udp
US 166.62.114.250:443 nepressurecleaning.com tcp
US 166.62.114.250:443 nepressurecleaning.com tcp
US 8.8.8.8:53 eyedoctordallas.com udp
US 15.197.142.173:443 eyedoctordallas.com tcp

Files

memory/1224-55-0x00000000760F1000-0x00000000760F3000-memory.dmp

memory/1224-57-0x0000000000D30000-0x0000000000DCF000-memory.dmp

memory/1224-58-0x0000000000DD0000-0x0000000000EFD000-memory.dmp

memory/1224-62-0x0000000000410000-0x0000000000411000-memory.dmp

memory/1224-61-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/1224-60-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1224-59-0x00000000001E0000-0x00000000001EA000-memory.dmp

memory/1224-63-0x0000000000450000-0x000000000046F000-memory.dmp

memory/1224-64-0x0000000001190000-0x0000000001299000-memory.dmp

memory/1224-65-0x0000000000420000-0x0000000000426000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-30 08:00

Reported

2022-01-30 08:04

Platform

win10-en-20211208

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification \??\c:\users\admin\pictures\ExportTest.tiff C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertToSwitch.crw => \??\c:\users\admin\pictures\ConvertToSwitch.crw.1s97fi8p C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\DisconnectRepair.raw => \??\c:\users\admin\pictures\DisconnectRepair.raw.1s97fi8p C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\ExportTest.tiff => \??\c:\users\admin\pictures\ExportTest.tiff.1s97fi8p C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\MoveResume.tif => \??\c:\users\admin\pictures\MoveResume.tif.1s97fi8p C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\UndoConfirm.raw => \??\c:\users\admin\pictures\UndoConfirm.raw.1s97fi8p C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\AddExport.crw => \??\c:\users\admin\pictures\AddExport.crw.1s97fi8p C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\BlockStep.crw => \??\c:\users\admin\pictures\BlockStep.crw.1s97fi8p C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertConnect.png => \??\c:\users\admin\pictures\ConvertConnect.png.1s97fi8p C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\InstallUnblock.raw => \??\c:\users\admin\pictures\InstallUnblock.raw.1s97fi8p C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\PopGrant.raw => \??\c:\users\admin\pictures\PopGrant.raw.1s97fi8p C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File renamed C:\Users\Admin\Pictures\PopInitialize.crw => \??\c:\users\admin\pictures\PopInitialize.crw.1s97fi8p C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\l42no5h.bmp" C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\1s97fi8p-readme.txt C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\GetDeny.vstm C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\PopStep.gif C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\ResizeExit.ini C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\DismountWrite.otf C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\MeasureSelect.ADT C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\TestSend.csv C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\UpdateConfirm.tiff C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File created \??\c:\program files\62161c73.lock C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\AddInvoke.sys C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\ConnectInvoke.docx C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\SaveUninstall.mpeg C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\SelectRestore.jpg C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\AssertInitialize.dib C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\SendLimit.wmv C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\MountReceive.search-ms C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\SelectPush.docm C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\SubmitStep.iso C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\BlockNew.xps C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\NewBlock.xsl C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\ReadShow.jpg C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\UninstallRepair.mid C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File created \??\c:\program files\1s97fi8p-readme.txt C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\DismountRevoke.mpeg3 C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\GetHide.js C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\RequestAssert.vdw C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\RevokeTest.TS C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\WriteOut.M2V C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File created \??\c:\program files (x86)\62161c73.lock C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\ApproveDebug.potx C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\CopySwitch.3gp2 C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\OutWatch.xlsm C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\PushShow.mp2v C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A
File opened for modification \??\c:\program files\RestartSet.csv C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe

"C:\Users\Admin\AppData\Local\Temp\158b1e1fd5719cbe6fc125d17020d0d6fd1365ef3b6db69941380e5f4c34a8ce.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lesyeuxbleus.net udp
FR 46.105.57.169:443 lesyeuxbleus.net tcp
US 8.8.8.8:53 expohomes.com udp
US 188.114.97.0:443 expohomes.com tcp
US 8.8.8.8:53 asiaartgallery.jp udp
JP 162.43.117.14:443 asiaartgallery.jp tcp
US 8.8.8.8:53 gsconcretecoatings.com udp
US 34.102.136.180:443 gsconcretecoatings.com tcp
US 34.102.136.180:443 gsconcretecoatings.com tcp
US 34.102.136.180:443 gsconcretecoatings.com tcp
US 34.102.136.180:443 gsconcretecoatings.com tcp
US 8.8.8.8:53 gratiocafeblog.wordpress.com udp
US 192.0.78.12:443 gratiocafeblog.wordpress.com tcp
US 8.8.8.8:53 tramadolhealth.com udp
US 104.21.47.153:443 tramadolhealth.com tcp
US 8.8.8.8:53 ntinasfiloxenia.gr udp
FI 95.216.12.233:443 ntinasfiloxenia.gr tcp
US 8.8.8.8:53 handyman-silkeborg.dk udp
DK 185.21.41.51:443 handyman-silkeborg.dk tcp
US 8.8.8.8:53 mangimirossana.it udp
DE 80.240.20.142:443 mangimirossana.it tcp
US 8.8.8.8:53 pourlabretagne.bzh udp
FR 135.125.16.232:443 pourlabretagne.bzh tcp
US 8.8.8.8:53 mazift.dk udp
DK 185.21.41.124:443 mazift.dk tcp
US 8.8.8.8:53 nvisionsigns.com udp
US 34.102.136.180:443 nvisionsigns.com tcp
US 34.102.136.180:443 nvisionsigns.com tcp
US 34.102.136.180:443 nvisionsigns.com tcp
US 34.102.136.180:443 nvisionsigns.com tcp
US 8.8.8.8:53 radishallgood.com udp
GB 167.99.94.233:443 radishallgood.com tcp
US 8.8.8.8:53 teethinadaydentalimplants.com udp
US 34.102.136.180:443 teethinadaydentalimplants.com tcp
US 34.102.136.180:443 teethinadaydentalimplants.com tcp
US 34.102.136.180:443 teethinadaydentalimplants.com tcp
US 34.102.136.180:443 teethinadaydentalimplants.com tcp
US 8.8.8.8:53 pxsrl.it udp
IT 195.182.210.190:443 pxsrl.it tcp
US 8.8.8.8:53 mjk.digital udp
DE 83.138.86.102:443 mjk.digital tcp
US 8.8.8.8:53 innovationgames-brabant.nl udp
US 8.8.8.8:53 slideevents.be udp
DE 51.89.7.228:443 slideevents.be tcp
US 8.8.8.8:53 modamarfil.com udp
US 138.128.178.242:443 modamarfil.com tcp
US 8.8.8.8:53 5thactors.com udp
ES 134.0.10.32:443 5thactors.com tcp
US 8.8.8.8:53 qrs-international.com udp
CH 194.56.189.177:443 qrs-international.com tcp
US 8.8.8.8:53 cesep2019.com udp
US 8.8.8.8:53 qrs-international.com udp
US 8.8.8.8:53 voetbalhoogeveen.nl udp
US 8.8.8.8:53 verbouwingsdouche.nl udp
NL 185.27.141.176:443 verbouwingsdouche.nl tcp
US 8.8.8.8:53 uncensoredhentaigif.com udp
US 104.21.35.206:443 uncensoredhentaigif.com tcp
US 8.8.8.8:53 rossomattonecase.it udp
IT 185.81.4.85:443 rossomattonecase.it tcp
US 8.8.8.8:53 oththukaruva.com udp
NL 185.107.56.200:443 oththukaruva.com tcp
US 8.8.8.8:53 richardkershawwines.co.za udp
ZA 156.38.238.98:443 richardkershawwines.co.za tcp
US 8.8.8.8:53 gbk-tp1.de udp
DE 139.162.147.231:443 gbk-tp1.de tcp
US 8.8.8.8:53 diakonie-weitramsdorf-sesslach.de udp
DE 37.218.255.162:443 diakonie-weitramsdorf-sesslach.de tcp
US 8.8.8.8:53 zinnystar.com udp
US 206.237.169.36:443 zinnystar.com tcp
US 8.8.8.8:53 rename.kz udp
KZ 195.210.46.115:443 rename.kz tcp
US 8.8.8.8:53 min-virksomhed.dk udp
DK 94.231.106.195:443 min-virksomhed.dk tcp
US 8.8.8.8:53 pisofare.co udp
US 104.21.52.108:443 pisofare.co tcp
US 8.8.8.8:53 daveystownhouse.com udp
DE 85.214.155.19:443 daveystownhouse.com tcp
US 8.8.8.8:53 kickittickets.com udp
US 35.209.160.138:443 kickittickets.com tcp
US 8.8.8.8:53 unexplored.gr udp
DE 94.130.143.52:443 unexplored.gr tcp
US 8.8.8.8:53 mesajjongeren.nl udp
DK 77.111.240.151:443 mesajjongeren.nl tcp
US 8.8.8.8:53 jayfurnitureco.com udp
US 108.167.161.213:443 jayfurnitureco.com tcp
US 8.8.8.8:53 insane.agency udp
PL 195.242.92.8:443 insane.agency tcp
US 8.8.8.8:53 corporacionrr.com udp
JP 133.167.67.65:443 corporacionrr.com tcp
US 8.8.8.8:53 scentedlair.com udp
US 185.230.63.171:443 scentedlair.com tcp
US 8.8.8.8:53 tatyanakopieva.ru udp
RU 77.222.61.24:443 tatyanakopieva.ru tcp
US 8.8.8.8:53 o2o-academy.com udp
SG 35.213.183.205:443 o2o-academy.com tcp
US 8.8.8.8:53 bluetenreich-brilon.de udp
DE 37.218.254.106:443 bluetenreich-brilon.de tcp
US 8.8.8.8:53 www.bluetenreich-brilon.de udp
DE 37.218.254.106:443 www.bluetenreich-brilon.de tcp
US 8.8.8.8:53 aceroprime.com udp
US 104.18.28.32:443 aceroprime.com tcp
US 8.8.8.8:53 descargandoprogramas.com udp
US 8.8.8.8:53 lovcase.com udp
US 8.8.8.8:53 curtsdiscountguns.com udp
US 104.21.30.221:443 curtsdiscountguns.com tcp
US 8.8.8.8:53 c-sprop.com udp
US 23.236.62.147:443 c-sprop.com tcp
US 8.8.8.8:53 plbinsurance.com udp
US 54.210.110.253:443 plbinsurance.com tcp
US 8.8.8.8:53 chatberlin.de udp
DE 85.214.200.228:443 chatberlin.de tcp
US 8.8.8.8:53 linkbuilding.life udp
US 8.8.8.8:53 projektparkiet.pl udp
US 172.67.167.41:443 projektparkiet.pl tcp
US 8.8.8.8:53 alaskaremote.com udp
US 34.237.37.253:443 alaskaremote.com tcp
US 8.8.8.8:53 campinglaforetdetesse.com udp
NL 35.204.115.119:443 campinglaforetdetesse.com tcp
US 8.8.8.8:53 texanscan.org udp
US 151.101.2.159:443 texanscan.org tcp
US 8.8.8.8:53 bd2fly.com udp
DE 52.28.116.69:443 bd2fly.com tcp
US 8.8.8.8:53 scietech.academy udp
US 173.199.130.40:443 scietech.academy tcp
US 8.8.8.8:53 ocduiblog.com udp
VN 202.92.5.151:443 ocduiblog.com tcp
US 8.8.8.8:53 jobkiwi.com.ng udp
DE 139.162.168.84:443 jobkiwi.com.ng tcp
US 8.8.8.8:53 brinkdoepke.eu udp
DE 134.119.253.108:443 brinkdoepke.eu tcp
US 8.8.8.8:53 solidhosting.nl udp
NL 37.97.218.27:443 solidhosting.nl tcp
US 8.8.8.8:53 dayenne-styling.nl udp
NL 95.170.72.149:443 dayenne-styling.nl tcp
US 8.8.8.8:53 andreaskildegaard.dk udp
DK 93.191.156.146:443 andreaskildegaard.dk tcp
US 8.8.8.8:53 advancedeyecare.com udp
US 66.228.32.51:443 advancedeyecare.com tcp
US 8.8.8.8:53 amco.net.au udp
US 172.67.69.122:443 amco.net.au tcp
US 8.8.8.8:53 tanatek.com udp
CA 198.50.129.250:443 tanatek.com tcp
US 8.8.8.8:53 casinodepositors.com udp
US 172.67.138.91:443 casinodepositors.com tcp
US 8.8.8.8:53 tradenavigator.ch udp
CH 149.126.4.16:443 tradenavigator.ch tcp
US 8.8.8.8:53 xn--ziinoapte-6ld.ro udp
RO 128.0.41.75:443 xn--ziinoapte-6ld.ro tcp
US 8.8.8.8:53 altitudeboise.com udp
US 148.62.54.20:443 altitudeboise.com tcp
US 8.8.8.8:53 www.altitudetrampolinepark.com udp
US 148.62.54.22:443 www.altitudetrampolinepark.com tcp
US 8.8.8.8:53 xn--billigafrgpatroner-stb.se udp
SE 185.189.49.220:443 xn--billigafrgpatroner-stb.se tcp
US 8.8.8.8:53 glennverschueren.be udp
US 99.83.190.102:443 glennverschueren.be tcp
US 8.8.8.8:53 www.glennverschueren.be udp
US 34.197.10.15:443 www.glennverschueren.be tcp
US 8.8.8.8:53 keyboardjournal.com udp
US 198.71.233.206:443 keyboardjournal.com tcp
US 8.8.8.8:53 hm-com.com udp
US 50.87.198.148:443 hm-com.com tcp
US 8.8.8.8:53 arearugcleaningnyc.com udp
US 108.178.17.142:443 arearugcleaningnyc.com tcp
US 8.8.8.8:53 fysiotherapierijnmond.nl udp
NL 149.210.155.99:443 fysiotherapierijnmond.nl tcp
US 8.8.8.8:53 buffdaddyblog.com udp
US 172.67.155.207:443 buffdaddyblog.com tcp
US 8.8.8.8:53 www.buffdaddyblog.com udp
US 172.67.155.207:443 www.buffdaddyblog.com tcp
US 8.8.8.8:53 dr-vita.de udp
DE 46.253.242.205:443 dr-vita.de tcp
US 8.8.8.8:53 www.dr-vita.de udp
DE 46.253.242.205:443 www.dr-vita.de tcp
US 8.8.8.8:53 profibersan.com udp
TR 213.159.29.43:443 profibersan.com tcp
US 8.8.8.8:53 wirmuessenreden.com udp
DE 178.77.83.248:443 wirmuessenreden.com tcp
US 8.8.8.8:53 secrets-clubs.co.uk udp
GB 185.199.220.35:443 secrets-clubs.co.uk tcp
US 8.8.8.8:53 greatofficespaces.net udp
US 35.209.165.189:443 greatofficespaces.net tcp
US 8.8.8.8:53 campusescalade.com udp
US 172.104.6.240:443 campusescalade.com tcp
US 8.8.8.8:53 biketruck.de udp
DK 77.111.240.1:443 biketruck.de tcp
US 8.8.8.8:53 cmascd.com udp
US 8.8.8.8:53 kookooo.com udp
RU 92.53.96.236:443 kookooo.com tcp
US 8.8.8.8:53 scholarquotes.com udp
US 104.248.69.181:443 scholarquotes.com tcp
US 8.8.8.8:53 apmollerpension.com udp
DK 94.231.103.53:443 apmollerpension.com tcp
US 8.8.8.8:53 haus-landliebe.de udp
DE 89.31.143.1:443 haus-landliebe.de tcp
US 8.8.8.8:53 azerbaycanas.com udp
US 8.8.8.8:53 inewsstar.com udp
US 3.18.7.81:443 inewsstar.com tcp

Files

memory/2308-115-0x0000000000F90000-0x0000000000FB3000-memory.dmp

memory/2308-116-0x0000000000F90000-0x0000000000FB3000-memory.dmp

memory/2308-117-0x0000000000F90000-0x0000000000FB3000-memory.dmp

memory/2308-118-0x00000000013C0000-0x00000000013C1000-memory.dmp

memory/2308-119-0x0000000002F00000-0x0000000002F06000-memory.dmp