Analysis Overview
SHA256
0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151
Threat Level: Known bad
The file 0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151 was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Sodin,Sodinokibi,REvil
Modifies extensions of user files
Enumerates connected drives
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-02 03:58
Signatures
Sodinokibi family
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-02 03:58
Reported
2022-03-02 04:00
Platform
win7-20220223-en
Max time kernel
4294183s
Max time network
143s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\users\admin\pictures\ImportConvertTo.tiff | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BackupRepair.tif => \??\c:\users\admin\pictures\BackupRepair.tif.01z08oy6lq | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ImportConvertTo.tiff => \??\c:\users\admin\pictures\ImportConvertTo.tiff.01z08oy6lq | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RedoExport.crw => \??\c:\users\admin\pictures\RedoExport.crw.01z08oy6lq | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SelectPing.crw => \??\c:\users\admin\pictures\SelectPing.crw.01z08oy6lq | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gq547i623o6.bmp" | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
Drops file in Program Files directory
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1940 wrote to memory of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1940 wrote to memory of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1940 wrote to memory of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1940 wrote to memory of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe
"C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | withahmed.com | udp |
| US | 188.114.96.0:443 | withahmed.com | tcp |
| US | 8.8.8.8:53 | thaysa.com | udp |
| DE | 185.53.177.11:443 | thaysa.com | tcp |
| US | 8.8.8.8:53 | comarenterprises.com | udp |
| US | 204.11.56.48:443 | comarenterprises.com | tcp |
| US | 8.8.8.8:53 | xtptrack.com | udp |
| NL | 35.204.74.76:443 | xtptrack.com | tcp |
| NL | 35.204.74.76:443 | xtptrack.com | tcp |
| US | 8.8.8.8:53 | maineemploymentlawyerblog.com | udp |
| NL | 65.9.78.99:443 | maineemploymentlawyerblog.com | tcp |
| US | 8.8.8.8:53 | www.maineemploymentlawyerblog.com | udp |
| NL | 65.9.78.99:443 | www.maineemploymentlawyerblog.com | tcp |
| US | 8.8.8.8:53 | eaglemeetstiger.de | udp |
| DE | 188.68.47.33:443 | eaglemeetstiger.de | tcp |
| DE | 188.68.47.33:443 | eaglemeetstiger.de | tcp |
| US | 8.8.8.8:53 | nandistribution.nl | udp |
| US | 104.21.45.200:443 | nandistribution.nl | tcp |
| US | 8.8.8.8:53 | importardechina.info | udp |
| HK | 47.75.130.171:443 | importardechina.info | tcp |
| US | 8.8.8.8:53 | castillobalduz.es | udp |
| ES | 37.46.72.16:443 | castillobalduz.es | tcp |
| US | 8.8.8.8:53 | www.castillobalduz.es | udp |
| ES | 37.46.72.16:443 | www.castillobalduz.es | tcp |
| ES | 37.46.72.16:443 | www.castillobalduz.es | tcp |
| US | 8.8.8.8:53 | abogadoengijon.es | udp |
| ES | 185.103.37.41:443 | abogadoengijon.es | tcp |
| US | 8.8.8.8:53 | forskolorna.org | udp |
| SE | 194.9.94.86:443 | forskolorna.org | tcp |
| SE | 194.9.94.85:443 | forskolorna.org | tcp |
| US | 8.8.8.8:53 | humanityplus.org | udp |
| US | 198.185.159.144:443 | humanityplus.org | tcp |
| US | 198.185.159.144:443 | humanityplus.org | tcp |
| US | 8.8.8.8:53 | ccpbroadband.com | udp |
| US | 35.208.237.11:443 | ccpbroadband.com | tcp |
| US | 35.208.237.11:443 | ccpbroadband.com | tcp |
| US | 8.8.8.8:53 | fundaciongregal.org | udp |
| ES | 178.23.56.80:443 | fundaciongregal.org | tcp |
| ES | 178.23.56.80:443 | fundaciongregal.org | tcp |
| US | 8.8.8.8:53 | acomprarseguidores.com | udp |
| US | 188.114.97.0:443 | acomprarseguidores.com | tcp |
| US | 8.8.8.8:53 | hhcourier.com | udp |
| NL | 65.9.78.119:443 | hhcourier.com | tcp |
| US | 8.8.8.8:53 | navyfederalautooverseas.com | udp |
| US | 54.210.160.94:443 | navyfederalautooverseas.com | tcp |
| US | 8.8.8.8:53 | sportverein-tambach.de | udp |
| US | 188.114.97.0:443 | sportverein-tambach.de | tcp |
| US | 8.8.8.8:53 | devok.info | udp |
| US | 188.114.96.0:443 | devok.info | tcp |
| US | 8.8.8.8:53 | havecamerawilltravel2017.wordpress.com | udp |
| US | 192.0.78.12:443 | havecamerawilltravel2017.wordpress.com | tcp |
| US | 192.0.78.12:443 | havecamerawilltravel2017.wordpress.com | tcp |
| US | 8.8.8.8:53 | pier40forall.org | udp |
| US | 34.102.136.180:443 | pier40forall.org | tcp |
| US | 34.102.136.180:443 | pier40forall.org | tcp |
| US | 8.8.8.8:53 | galserwis.pl | udp |
| PL | 77.95.237.2:443 | galserwis.pl | tcp |
| PL | 77.95.237.2:443 | galserwis.pl | tcp |
| US | 8.8.8.8:53 | suncrestcabinets.ca | udp |
| DK | 185.58.213.110:443 | suncrestcabinets.ca | tcp |
| DK | 185.58.213.110:443 | suncrestcabinets.ca | tcp |
| US | 8.8.8.8:53 | oneheartwarriors.at | udp |
| CH | 185.178.193.229:443 | oneheartwarriors.at | tcp |
| CH | 185.178.193.229:443 | oneheartwarriors.at | tcp |
| US | 8.8.8.8:53 | coding-machine.com | udp |
| FR | 164.132.235.17:443 | coding-machine.com | tcp |
| US | 8.8.8.8:53 | degroenetunnel.com | udp |
| NL | 213.108.104.109:443 | degroenetunnel.com | tcp |
| NL | 213.108.104.109:443 | degroenetunnel.com | tcp |
| US | 8.8.8.8:53 | lange.host | udp |
| US | 188.114.97.0:443 | lange.host | tcp |
| US | 8.8.8.8:53 | enovos.de | udp |
| DE | 134.119.0.86:443 | enovos.de | tcp |
| DE | 134.119.0.86:443 | enovos.de | tcp |
| US | 8.8.8.8:53 | zewatchers.com | udp |
| FR | 185.100.5.208:443 | zewatchers.com | tcp |
| US | 8.8.8.8:53 | eraorastudio.com | udp |
| US | 198.54.115.34:443 | eraorastudio.com | tcp |
| US | 198.54.115.34:443 | eraorastudio.com | tcp |
| US | 8.8.8.8:53 | karacaoglu.nl | udp |
| NL | 141.138.169.219:443 | karacaoglu.nl | tcp |
| NL | 141.138.169.219:443 | karacaoglu.nl | tcp |
| US | 8.8.8.8:53 | senson.fi | udp |
| FI | 185.82.144.213:443 | senson.fi | tcp |
| FI | 185.82.144.213:443 | senson.fi | tcp |
| US | 8.8.8.8:53 | chavesdoareeiro.com | udp |
| US | 8.8.8.8:53 | zervicethai.co.th | udp |
| US | 8.8.8.8:53 | walter-lemm.de | udp |
| DE | 5.35.225.156:443 | walter-lemm.de | tcp |
| DE | 5.35.225.156:443 | walter-lemm.de | tcp |
| US | 8.8.8.8:53 | commercialboatbuilding.com | udp |
| TR | 79.98.129.216:443 | commercialboatbuilding.com | tcp |
| TR | 79.98.129.216:443 | commercialboatbuilding.com | tcp |
| US | 8.8.8.8:53 | milestoneshows.com | udp |
| CA | 208.90.68.80:443 | milestoneshows.com | tcp |
| CA | 208.90.68.80:443 | milestoneshows.com | tcp |
| US | 8.8.8.8:53 | theletter.company | udp |
| US | 34.98.99.30:443 | theletter.company | tcp |
| US | 34.98.99.30:443 | theletter.company | tcp |
| US | 8.8.8.8:53 | ruralarcoiris.com | udp |
| ES | 46.231.127.30:443 | ruralarcoiris.com | tcp |
| US | 8.8.8.8:53 | sarbatkhalsafoundation.org | udp |
| US | 198.71.233.227:443 | sarbatkhalsafoundation.org | tcp |
| US | 8.8.8.8:53 | agence-referencement-naturel-geneve.net | udp |
| CH | 128.65.195.18:443 | agence-referencement-naturel-geneve.net | tcp |
| CH | 128.65.195.18:443 | agence-referencement-naturel-geneve.net | tcp |
| US | 8.8.8.8:53 | kidbucketlist.com.au | udp |
| US | 162.241.217.210:443 | kidbucketlist.com.au | tcp |
| US | 162.241.217.210:443 | kidbucketlist.com.au | tcp |
| US | 8.8.8.8:53 | rushhourappliances.com | udp |
| US | 69.16.228.144:443 | rushhourappliances.com | tcp |
| US | 69.16.228.144:443 | rushhourappliances.com | tcp |
| US | 8.8.8.8:53 | haar-spange.com | udp |
| FR | 5.135.138.19:443 | haar-spange.com | tcp |
| FR | 5.135.138.19:443 | haar-spange.com | tcp |
| US | 8.8.8.8:53 | balticdentists.com | udp |
| LT | 79.98.28.6:443 | balticdentists.com | tcp |
| US | 8.8.8.8:53 | tulsawaterheaterinstallation.com | udp |
| HK | 47.75.130.171:443 | tulsawaterheaterinstallation.com | tcp |
Files
memory/1940-54-0x0000000076271000-0x0000000076273000-memory.dmp
memory/656-55-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmp
memory/656-56-0x000007FEEF820000-0x000007FEF037D000-memory.dmp
memory/656-60-0x0000000002964000-0x0000000002967000-memory.dmp
memory/656-59-0x0000000002962000-0x0000000002964000-memory.dmp
memory/656-58-0x0000000002960000-0x0000000002962000-memory.dmp
memory/656-57-0x000007FEF60DE000-0x000007FEF60DF000-memory.dmp
memory/656-61-0x000000000296B000-0x000000000298A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-02 03:58
Reported
2022-03-02 04:00
Platform
win10v2004-en-20220113
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\NewInstall.tif => \??\c:\users\admin\pictures\NewInstall.tif.mn02mt | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RemoveApprove.crw => \??\c:\users\admin\pictures\RemoveApprove.crw.mn02mt | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PublishStop.tif => \??\c:\users\admin\pictures\PublishStop.tif.mn02mt | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RestorePop.raw => \??\c:\users\admin\pictures\RestorePop.raw.mn02mt | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BlockRedo.raw => \??\c:\users\admin\pictures\BlockRedo.raw.mn02mt | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ClearSuspend.tif => \??\c:\users\admin\pictures\ClearSuspend.tif.mn02mt | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DenyConnect.tif => \??\c:\users\admin\pictures\DenyConnect.tif.mn02mt | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\38h.bmp" | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
Drops file in Program Files directory
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2924 wrote to memory of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2924 wrote to memory of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe
"C:\Users\Admin\AppData\Local\Temp\0d136f12798a5b16466fc9433c748a4ae8c5e63d8af7ee9c9cb549a455255151.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | withahmed.com | udp |
| US | 188.114.97.0:443 | withahmed.com | tcp |
| US | 8.8.8.8:53 | thaysa.com | udp |
| DE | 185.53.177.11:443 | thaysa.com | tcp |
| US | 8.8.8.8:53 | comarenterprises.com | udp |
| US | 204.11.56.48:443 | comarenterprises.com | tcp |
| US | 8.8.8.8:53 | xtptrack.com | udp |
| NL | 35.204.74.76:443 | xtptrack.com | tcp |
| US | 8.8.8.8:53 | www.xtptrack.com | udp |
| US | 104.21.89.95:443 | www.xtptrack.com | tcp |
| US | 8.8.8.8:53 | maineemploymentlawyerblog.com | udp |
| NL | 65.9.78.42:443 | maineemploymentlawyerblog.com | tcp |
| US | 8.8.8.8:53 | www.maineemploymentlawyerblog.com | udp |
| NL | 65.9.78.99:443 | www.maineemploymentlawyerblog.com | tcp |
| US | 8.8.8.8:53 | eaglemeetstiger.de | udp |
| DE | 188.68.47.33:443 | eaglemeetstiger.de | tcp |
| US | 8.8.8.8:53 | nandistribution.nl | udp |
| US | 172.67.218.185:443 | nandistribution.nl | tcp |
| US | 8.8.8.8:53 | importardechina.info | udp |
| HK | 47.75.130.171:443 | importardechina.info | tcp |
| US | 8.8.8.8:53 | castillobalduz.es | udp |
| ES | 37.46.72.16:443 | castillobalduz.es | tcp |
| US | 8.8.8.8:53 | www.castillobalduz.es | udp |
| ES | 37.46.72.16:443 | www.castillobalduz.es | tcp |
| ES | 37.46.72.16:443 | www.castillobalduz.es | tcp |
| US | 8.8.8.8:53 | abogadoengijon.es | udp |
| ES | 185.103.37.41:443 | abogadoengijon.es | tcp |
| US | 8.8.8.8:53 | forskolorna.org | udp |
| SE | 194.9.94.86:443 | forskolorna.org | tcp |
| SE | 194.9.94.85:443 | forskolorna.org | tcp |
| US | 8.8.8.8:53 | humanityplus.org | udp |
| US | 198.185.159.144:443 | humanityplus.org | tcp |
| US | 8.8.8.8:53 | www.humanityplus.org | udp |
| US | 198.185.159.144:443 | www.humanityplus.org | tcp |
| US | 8.8.8.8:53 | ccpbroadband.com | udp |
| US | 35.208.237.11:443 | ccpbroadband.com | tcp |
| US | 8.8.8.8:53 | fundaciongregal.org | udp |
| ES | 178.23.56.80:443 | fundaciongregal.org | tcp |
| US | 8.8.8.8:53 | acomprarseguidores.com | udp |
| US | 188.114.97.0:443 | acomprarseguidores.com | tcp |
| US | 8.8.8.8:53 | hhcourier.com | udp |
| NL | 65.9.78.119:443 | hhcourier.com | tcp |
| NL | 65.9.78.119:443 | hhcourier.com | tcp |
| NL | 65.9.78.119:443 | hhcourier.com | tcp |
| US | 8.8.8.8:53 | navyfederalautooverseas.com | udp |
| US | 54.85.13.159:443 | navyfederalautooverseas.com | tcp |
| US | 8.8.8.8:53 | sportverein-tambach.de | udp |
| US | 188.114.97.0:443 | sportverein-tambach.de | tcp |
| US | 8.8.8.8:53 | devok.info | udp |
| US | 104.21.81.116:443 | devok.info | tcp |
| US | 8.8.8.8:53 | havecamerawilltravel2017.wordpress.com | udp |
| US | 192.0.78.12:443 | havecamerawilltravel2017.wordpress.com | tcp |
| US | 8.8.8.8:53 | pier40forall.org | udp |
| US | 34.102.136.180:443 | pier40forall.org | tcp |
| US | 34.102.136.180:443 | pier40forall.org | tcp |
| US | 34.102.136.180:443 | pier40forall.org | tcp |
| US | 8.8.8.8:53 | galserwis.pl | udp |
| PL | 77.95.237.2:443 | galserwis.pl | tcp |
| US | 8.8.8.8:53 | suncrestcabinets.ca | udp |
| DK | 185.58.213.110:443 | suncrestcabinets.ca | tcp |
| US | 8.8.8.8:53 | oneheartwarriors.at | udp |
| CH | 185.178.193.229:443 | oneheartwarriors.at | tcp |
| US | 8.8.8.8:53 | coding-machine.com | udp |
| FR | 164.132.235.17:443 | coding-machine.com | tcp |
| US | 8.8.8.8:53 | degroenetunnel.com | udp |
| NL | 213.108.104.109:443 | degroenetunnel.com | tcp |
| US | 8.8.8.8:53 | lange.host | udp |
| US | 172.67.188.182:443 | lange.host | tcp |
| US | 8.8.8.8:53 | enovos.de | udp |
| DE | 134.119.0.86:443 | enovos.de | tcp |
| US | 8.8.8.8:53 | zewatchers.com | udp |
| FR | 185.100.5.208:443 | zewatchers.com | tcp |
| US | 8.8.8.8:53 | eraorastudio.com | udp |
| US | 198.54.115.34:443 | eraorastudio.com | tcp |
| US | 8.8.8.8:53 | karacaoglu.nl | udp |
| NL | 141.138.169.219:443 | karacaoglu.nl | tcp |
| US | 8.8.8.8:53 | senson.fi | udp |
| FI | 185.82.144.213:443 | senson.fi | tcp |
| US | 8.8.8.8:53 | chavesdoareeiro.com | udp |
| US | 8.8.8.8:53 | zervicethai.co.th | udp |
| US | 8.8.8.8:53 | walter-lemm.de | udp |
| DE | 5.35.225.156:443 | walter-lemm.de | tcp |
| US | 8.8.8.8:53 | commercialboatbuilding.com | udp |
| TR | 79.98.129.216:443 | commercialboatbuilding.com | tcp |
| US | 8.8.8.8:53 | milestoneshows.com | udp |
| CA | 208.90.68.80:443 | milestoneshows.com | tcp |
| US | 8.8.8.8:53 | theletter.company | udp |
| US | 34.98.99.30:443 | theletter.company | tcp |
| US | 34.98.99.30:443 | theletter.company | tcp |
| US | 34.98.99.30:443 | theletter.company | tcp |
| US | 8.8.8.8:53 | ruralarcoiris.com | udp |
| ES | 46.231.127.30:443 | ruralarcoiris.com | tcp |
| US | 8.8.8.8:53 | sarbatkhalsafoundation.org | udp |
| US | 198.71.233.227:443 | sarbatkhalsafoundation.org | tcp |
| US | 8.8.8.8:53 | agence-referencement-naturel-geneve.net | udp |
| CH | 128.65.195.18:443 | agence-referencement-naturel-geneve.net | tcp |
| US | 8.8.8.8:53 | kidbucketlist.com.au | udp |
| US | 162.241.217.210:443 | kidbucketlist.com.au | tcp |
| US | 8.8.8.8:53 | rushhourappliances.com | udp |
| US | 69.16.228.144:443 | rushhourappliances.com | tcp |
Files
memory/1660-130-0x00007FF9A6AB3000-0x00007FF9A6AB5000-memory.dmp
memory/1660-132-0x0000020607A20000-0x0000020607A22000-memory.dmp
memory/1660-131-0x0000020607A23000-0x0000020607A25000-memory.dmp
memory/1660-133-0x00000206215F0000-0x0000020621612000-memory.dmp
memory/1660-134-0x0000020607A26000-0x0000020607A28000-memory.dmp