Malware Analysis Report

2025-01-18 19:19

Sample ID 220130-jv8s1shge7
Target 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6
SHA256 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6
Tags
6 409 sodinokibi ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6

Threat Level: Known bad

The file 151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6 was found to be: Known bad.

Malicious Activity Summary

6 409 sodinokibi ransomware

Sodin,Sodinokibi,REvil

Sodinokibi family

Sodinokibi/Revil sample

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-30 08:00

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-30 08:00

Reported

2022-01-30 08:04

Platform

win7-en-20211208

Max time kernel

140s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ConvertFromPing.crw => \??\c:\users\admin\pictures\ConvertFromPing.crw.7592o7 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromSet.raw => \??\c:\users\admin\pictures\ConvertFromSet.raw.7592o7 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\CopyUndo.crw => \??\c:\users\admin\pictures\CopyUndo.crw.7592o7 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\ReadWatch.raw => \??\c:\users\admin\pictures\ReadWatch.raw.7592o7 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\SearchMove.png => \??\c:\users\admin\pictures\SearchMove.png.7592o7 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\UndoNew.tif => \??\c:\users\admin\pictures\UndoNew.tif.7592o7 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointOpen.png => \??\c:\users\admin\pictures\CheckpointOpen.png.7592o7 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\CompareImport.raw => \??\c:\users\admin\pictures\CompareImport.raw.7592o7 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\DisableSplit.crw => \??\c:\users\admin\pictures\DisableSplit.crw.7592o7 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\JoinAdd.raw => \??\c:\users\admin\pictures\JoinAdd.raw.7592o7 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\RevokeFind.crw => \??\c:\users\admin\pictures\RevokeFind.crw.7592o7 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointResume.crw => \??\c:\users\admin\pictures\CheckpointResume.crw.7592o7 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ot414g7b3.bmp" C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\microsoft sql server compact edition\7592o7-readme.txt C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\BlockRevoke.wma C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\DebugPublish.tiff C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\MeasureJoin.dotx C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ResumeTest.mp3 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\StepUnprotect.wmf C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\AssertCheckpoint.ogg C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\GroupMount.TTS C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\TracePublish.ps1xml C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\a19a44f4.lock C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ReceiveProtect.mp2 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\RevokeSkip.snd C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\7592o7-readme.txt C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ApproveTrace.WTV C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\BlockGrant.dwfx C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\DenyCompress.M2T C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\EditUse.wpl C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\OutCompress.mpg C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\CompareClear.bmp C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ConvertInstall.mpeg3 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ExpandUninstall.vssx C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\SendMeasure.search-ms C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\a19a44f4.lock C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\a19a44f4.lock C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File created \??\c:\program files\7592o7-readme.txt C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ConvertBlock.xml C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\EditInitialize.mov C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\RequestDisable.potx C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\TestWrite.7z C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\7592o7-readme.txt C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File created \??\c:\program files\a19a44f4.lock C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File created \??\c:\program files (x86)\a19a44f4.lock C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ConnectSend.asp C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\FormatEnable.csv C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ImportPublish.ogg C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\UpdateDebug.dotx C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File created \??\c:\program files (x86)\7592o7-readme.txt C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ConfirmSearch.rtf C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\LockSet.cfg C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\RestoreHide.iso C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\SuspendStop.avi C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe

"C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 hypogenforensic.com udp
US 8.8.8.8:53 werkzeugtrolley.net udp
DE 212.172.54.148:443 werkzeugtrolley.net tcp
US 8.8.8.8:53 baita.ac udp
US 162.241.155.170:443 baita.ac tcp
US 162.241.155.170:443 baita.ac tcp
US 8.8.8.8:53 mayprogulka.ru udp
RU 89.22.186.205:443 mayprogulka.ru tcp
US 8.8.8.8:53 michaelfiegel.com udp
US 64.62.236.141:443 michaelfiegel.com tcp
US 64.62.236.141:443 michaelfiegel.com tcp
US 8.8.8.8:53 hotelturbo.de udp
FR 91.250.102.240:443 hotelturbo.de tcp
US 8.8.8.8:53 www.hotelturbo.de udp
FR 91.250.102.240:443 www.hotelturbo.de tcp
US 8.8.8.8:53 jonnyhooley.com udp
GB 35.214.94.12:443 jonnyhooley.com tcp
GB 35.214.94.12:443 jonnyhooley.com tcp
US 8.8.8.8:53 subyard.com udp
GB 139.162.238.239:443 subyard.com tcp
GB 139.162.238.239:443 subyard.com tcp
US 8.8.8.8:53 suitesartemis.gr udp
DE 78.47.210.44:443 suitesartemis.gr tcp
US 8.8.8.8:53 www.suitesartemis.gr udp
DE 78.47.210.44:443 www.suitesartemis.gr tcp
US 8.8.8.8:53 wribrazil.com udp
US 146.71.125.34:443 wribrazil.com tcp
US 146.71.125.34:443 wribrazil.com tcp
US 8.8.8.8:53 subquercy.fr udp
FR 51.75.18.201:443 subquercy.fr tcp
FR 51.75.18.201:443 subquercy.fr tcp
US 8.8.8.8:53 indiebizadvocates.org udp
US 54.189.238.201:443 indiebizadvocates.org tcp
US 54.189.238.201:443 indiebizadvocates.org tcp
US 8.8.8.8:53 arthakapitalforvaltning.dk udp
DK 81.95.245.163:443 arthakapitalforvaltning.dk tcp
DK 81.95.245.163:443 arthakapitalforvaltning.dk tcp
US 8.8.8.8:53 aberdeenartwalk.org udp
US 198.55.248.240:443 aberdeenartwalk.org tcp
US 8.8.8.8:53 pisofare.co udp
US 172.67.198.48:443 pisofare.co tcp
US 8.8.8.8:53 voice2biz.com udp
US 52.14.1.58:443 voice2biz.com tcp
US 8.8.8.8:53 www.voice2biz.com udp
US 52.14.1.58:443 www.voice2biz.com tcp
US 8.8.8.8:53 jax-interim-and-projectmanagement.com udp
NL 91.184.0.30:443 jax-interim-and-projectmanagement.com tcp
NL 91.184.0.30:443 jax-interim-and-projectmanagement.com tcp
US 8.8.8.8:53 sshomme.com udp
US 15.197.142.173:443 sshomme.com tcp
US 3.33.152.147:443 sshomme.com tcp
US 8.8.8.8:53 jaaphoekzema.nl udp
NL 149.210.195.173:443 jaaphoekzema.nl tcp
NL 149.210.195.173:443 jaaphoekzema.nl tcp
US 8.8.8.8:53 aquacheck.co.za udp
ZA 197.221.14.44:443 aquacheck.co.za tcp
ZA 197.221.14.44:443 aquacheck.co.za tcp
US 8.8.8.8:53 egpu.fr udp
FR 89.234.180.47:443 egpu.fr tcp
US 8.8.8.8:53 matteoruzzaofficial.com udp
US 8.8.8.8:53 aslog.fr udp
US 8.8.8.8:53 sachainchiuk.com udp
US 8.8.8.8:53 lapponiasafaris.com udp
US 104.21.12.161:443 lapponiasafaris.com tcp
US 104.21.12.161:443 lapponiasafaris.com tcp
US 8.8.8.8:53 finsahome.co.uk udp
DE 217.160.0.87:443 finsahome.co.uk tcp
DE 217.160.0.87:443 finsahome.co.uk tcp
US 8.8.8.8:53 legundschiess.de udp
DE 195.242.103.118:443 legundschiess.de tcp
DE 195.242.103.118:443 legundschiess.de tcp
US 8.8.8.8:53 nalliasmali.net udp
US 8.8.8.8:53 wrinstitute.org udp
US 23.185.0.4:443 wrinstitute.org tcp
US 23.185.0.4:443 wrinstitute.org tcp
US 8.8.8.8:53 ilveshistoria.com udp
FI 77.240.19.23:443 ilveshistoria.com tcp
FI 77.240.19.23:443 ilveshistoria.com tcp
US 8.8.8.8:53 diverfiestas.com.es udp
FR 176.31.163.21:443 diverfiestas.com.es tcp
US 8.8.8.8:53 parseport.com udp
DK 185.224.18.20:443 parseport.com tcp
DK 185.224.18.20:443 parseport.com tcp
US 8.8.8.8:53 innovationgames-brabant.nl udp
US 8.8.8.8:53 cesep2019.com udp
US 8.8.8.8:53 udp

Files

memory/848-54-0x00000000751B1000-0x00000000751B3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-30 08:00

Reported

2022-01-30 08:05

Platform

win10-en-20211208

Max time kernel

150s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Deletes shadow copies

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ConvertUndo.raw => \??\c:\users\admin\pictures\ConvertUndo.raw.5j6vm C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\ExitDisable.tiff => \??\c:\users\admin\pictures\ExitDisable.tiff.5j6vm C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\GetConvert.raw => \??\c:\users\admin\pictures\GetConvert.raw.5j6vm C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\users\admin\pictures\ExitDisable.tiff C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\ClearUnblock.tif => \??\c:\users\admin\pictures\ClearUnblock.tif.5j6vm C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromWatch.tif => \??\c:\users\admin\pictures\ConvertFromWatch.tif.5j6vm C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\RevokeShow.crw => \??\c:\users\admin\pictures\RevokeShow.crw.5j6vm C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\UnregisterUninstall.raw => \??\c:\users\admin\pictures\UnregisterUninstall.raw.5j6vm C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockRead.crw => \??\c:\users\admin\pictures\UnblockRead.crw.5j6vm C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\33ozpc46.bmp" C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\ClosePublish.vsx C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\GrantRequest.au3 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\MergeUse.MTS C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\RedoNew.vbe C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\UnregisterOut.wmv C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File created \??\c:\program files\5j6vm-readme.txt C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\AddConfirm.TTS C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\InvokeMount.xsl C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\OutGroup.jpg C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\PingDismount.txt C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\SaveCompress.mht C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ImportClose.001 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ReceiveResolve.bmp C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\StopBlock.asf C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File created \??\c:\program files (x86)\5j6vm-readme.txt C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ApproveProtect.asp C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\EditExit.docx C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\InvokeEnable.xml C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ProtectConvertFrom.DVR C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\StepAssert.xsl C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ApproveMeasure.wps C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ExpandGet.mpe C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\MountShow.pcx C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\PingUnpublish.xlsm C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\SuspendEnter.ttc C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File created \??\c:\program files\a19a44f4.lock C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File created \??\c:\program files (x86)\a19a44f4.lock C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\CompareClear.ini C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\ClearGrant.dotm C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\EditGrant.dotm C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\InitializeSubmit.wmv C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\LockSuspend.rm C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\RestartTrace.jpeg C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A
File opened for modification \??\c:\program files\StepOpen.i64 C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe

"C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 hypogenforensic.com udp
US 8.8.8.8:53 werkzeugtrolley.net udp
DE 212.172.54.148:443 werkzeugtrolley.net tcp
US 8.8.8.8:53 baita.ac udp
US 162.241.155.170:443 baita.ac tcp
US 8.8.8.8:53 www.baita.ac udp
US 162.241.155.170:443 www.baita.ac tcp
US 8.8.8.8:53 mayprogulka.ru udp
RU 89.22.186.205:443 mayprogulka.ru tcp
US 8.8.8.8:53 michaelfiegel.com udp
US 64.62.236.141:443 michaelfiegel.com tcp
US 8.8.8.8:53 hotelturbo.de udp
FR 91.250.102.240:443 hotelturbo.de tcp
US 8.8.8.8:53 jonnyhooley.com udp
GB 35.214.94.12:443 jonnyhooley.com tcp
US 8.8.8.8:53 subyard.com udp
GB 139.162.238.239:443 subyard.com tcp
US 8.8.8.8:53 suitesartemis.gr udp
DE 78.47.210.44:443 suitesartemis.gr tcp
US 8.8.8.8:53 www.suitesartemis.gr udp
DE 78.47.210.44:443 www.suitesartemis.gr tcp
US 8.8.8.8:53 wribrazil.com udp
US 146.71.125.34:443 wribrazil.com tcp
US 8.8.8.8:53 subquercy.fr udp
FR 51.75.18.201:443 subquercy.fr tcp
US 8.8.8.8:53 indiebizadvocates.org udp
US 54.189.238.201:443 indiebizadvocates.org tcp
US 8.8.8.8:53 arthakapitalforvaltning.dk udp
DK 81.95.245.163:443 arthakapitalforvaltning.dk tcp
US 8.8.8.8:53 aberdeenartwalk.org udp
US 198.55.248.240:443 aberdeenartwalk.org tcp
US 8.8.8.8:53 pisofare.co udp
US 104.21.52.108:443 pisofare.co tcp
US 8.8.8.8:53 voice2biz.com udp
US 52.14.1.58:443 voice2biz.com tcp
US 8.8.8.8:53 www.voice2biz.com udp
US 52.14.1.58:443 www.voice2biz.com tcp
US 8.8.8.8:53 jax-interim-and-projectmanagement.com udp
NL 91.184.0.30:443 jax-interim-and-projectmanagement.com tcp
US 8.8.8.8:53 sshomme.com udp
US 15.197.142.173:443 sshomme.com tcp
US 3.33.152.147:443 sshomme.com tcp
US 8.8.8.8:53 jaaphoekzema.nl udp
NL 149.210.195.173:443 jaaphoekzema.nl tcp
US 8.8.8.8:53 aquacheck.co.za udp
ZA 197.221.14.44:443 aquacheck.co.za tcp
US 8.8.8.8:53 egpu.fr udp
FR 89.234.180.47:443 egpu.fr tcp
US 8.8.8.8:53 matteoruzzaofficial.com udp
US 8.8.8.8:53 aslog.fr udp
US 8.8.8.8:53 sachainchiuk.com udp
US 8.8.8.8:53 lapponiasafaris.com udp
US 172.67.195.38:443 lapponiasafaris.com tcp
US 8.8.8.8:53 finsahome.co.uk udp
DE 217.160.0.87:443 finsahome.co.uk tcp
US 8.8.8.8:53 legundschiess.de udp
DE 195.242.103.118:443 legundschiess.de tcp
US 8.8.8.8:53 nalliasmali.net udp
US 8.8.8.8:53 wrinstitute.org udp
US 23.185.0.4:443 wrinstitute.org tcp
US 8.8.8.8:53 ilveshistoria.com udp
FI 77.240.19.23:443 ilveshistoria.com tcp
US 8.8.8.8:53 diverfiestas.com.es udp
FR 176.31.163.21:443 diverfiestas.com.es tcp
US 8.8.8.8:53 parseport.com udp
DK 185.224.18.20:443 parseport.com tcp
US 8.8.8.8:53 innovationgames-brabant.nl udp
US 8.8.8.8:53 cesep2019.com udp
US 8.8.8.8:53 vdolg24.online udp
US 8.8.8.8:53 imagine-entertainment.com udp
US 45.33.60.166:443 imagine-entertainment.com tcp
US 8.8.8.8:53 metallbau-hartmann.eu udp
DE 109.237.136.215:443 metallbau-hartmann.eu tcp
US 8.8.8.8:53 molade.nl udp
NL 5.79.100.182:443 molade.nl tcp
US 8.8.8.8:53 designimage.ae udp
US 192.185.114.80:443 designimage.ae tcp
US 8.8.8.8:53 kerstliedjeszingen.nl udp
NL 193.34.167.86:443 kerstliedjeszingen.nl tcp
US 8.8.8.8:53 ntinasfiloxenia.gr udp
FI 95.216.12.233:443 ntinasfiloxenia.gr tcp
US 8.8.8.8:53 slideevents.be udp
DE 51.89.7.228:443 slideevents.be tcp

Files

N/A