Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
04-05-2021 14:30
Static task
static1
Behavioral task
behavioral1
Sample
37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe
Resource
win10v20210410
General
-
Target
37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe
-
Size
308KB
-
MD5
ec423a03baa81be57f07cc2243552d93
-
SHA1
7089c6d938e3bae0febac05f4b4b10bb2f92142c
-
SHA256
37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6
-
SHA512
6d533efdd332e362e9cf41c17db6dc07f41fbeb428a1a303c53d3b6b71277a2df3bedc6d2c347279d29ff34cdfc1998201f3b709adcc5ca6d5e8811d11272191
Malware Config
Extracted
C:\456ubtz-README.txt
http://decryptor.cc/110E8423B6333937
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/110E8423B6333937
Extracted
sodinokibi
$2a$10$t3DhTruaNQkuwj0ZThetBO76elGNsuZ6qHEDd9eLbWXl1fJiNkEUq
3612
all-turtles.com
smogathon.com
mediaacademy-iraq.org
nhadatcanho247.com
milsing.hr
cursoporcelanatoliquido.online
broseller.com
ftlc.es
compliancesolutionsstrategies.com
ampisolabergeggi.it
cheminpsy.fr
planchaavapor.net
vibethink.net
rosavalamedahr.com
lionware.de
liliesandbeauties.org
smart-light.co.uk
gadgetedges.com
psa-sec.de
ledmes.ru
ravensnesthomegoods.com
alvinschwartz.wordpress.com
nancy-informatique.fr
krlosdavid.com
expandet.dk
bafuncs.org
retroearthstudio.com
nurturingwisdom.com
firstpaymentservices.com
pixelarttees.com
zso-mannheim.de
abl1.net
bodyfulls.com
gantungankunciakrilikbandung.com
rksbusiness.com
hebkft.hu
mirjamholleman.nl
montrium.com
mirkoreisser.de
ussmontanacommittee.us
smale-opticiens.nl
selfoutlet.com
lefumetdesdombes.com
denovofoodsgroup.com
stoeferlehalle.de
slwgs.org
ecopro-kanto.com
oemands.dk
mymoneyforex.com
xltyu.com
danholzmann.com
irishmachineryauctions.com
daklesa.de
fairfriends18.de
finediningweek.pl
artotelamsterdam.com
samnewbyjax.com
rebeccarisher.com
juneauopioidworkgroup.org
stupbratt.no
mir-na-iznanku.com
loprus.pl
bowengroup.com.au
girlillamarketing.com
uranus.nl
sipstroysochi.ru
lukeshepley.wordpress.com
qlog.de
chrissieperry.com
no-plans.com
foryourhealth.live
vietlawconsultancy.com
leoben.at
aniblinova.wordpress.com
DupontSellsHomes.com
centrospgolega.com
asteriag.com
fax-payday-loans.com
braffinjurylawfirm.com
praxis-foerderdiagnostik.de
slupetzky.at
paymybill.guru
www1.proresult.no
sandd.nl
aco-media.nl
baumkuchenexpo.jp
candyhouseusa.com
myhostcloud.com
naturalrapids.com
geekwork.pl
solerluethi-allart.ch
alhashem.net
zenderthelender.com
ralister.co.uk
boompinoy.com
botanicinnovations.com
waywithwords.net
rostoncastings.co.uk
c2e-poitiers.com
bockamp.com
stallbyggen.se
the-virtualizer.com
promesapuertorico.com
fiscalsort.com
todocaracoles.com
alysonhoward.com
glennroberts.co.nz
easytrans.com.au
evergreen-fishing.com
ouryoungminds.wordpress.com
senson.fi
homecomingstudio.com
yamalevents.com
buroludo.nl
tomaso.gr
pierrehale.com
hatech.io
twohourswithlena.wordpress.com
blacksirius.de
healthyyworkout.com
campus2day.de
liikelataamo.fi
summitmarketingstrategies.com
kirkepartner.dk
team-montage.dk
1team.es
ctrler.cn
kedak.de
craigmccabe.fun
lachofikschiet.nl
webmaster-peloton.com
quickyfunds.com
rieed.de
iwr.nl
heidelbergartstudio.gallery
tulsawaterheaterinstallation.com
familypark40.com
lecantou-coworking.com
projetlyonturin.fr
pawsuppetlovers.com
simpliza.com
bundabergeyeclinic.com.au
ceid.info.tr
ulyssemarketing.com
vihannesporssi.fi
elpa.se
newstap.com.ng
ora-it.de
richard-felix.co.uk
imaginado.de
bestbet.com
craigvalentineacademy.com
dublikator.com
ruralarcoiris.com
boisehosting.net
nachhilfe-unterricht.com
baustb.de
hairnetty.wordpress.com
better.town
helenekowalsky.com
toponlinecasinosuk.co.uk
4youbeautysalon.com
raschlosser.de
dubscollective.com
woodworkersolution.com
parks-nuernberg.de
officehymy.com
uimaan.fi
sexandfessenjoon.wordpress.com
alsace-first.com
leeuwardenstudentcity.nl
ivivo.es
chatizel-paysage.fr
classycurtainsltd.co.uk
devok.info
bingonearme.org
kenhnoithatgo.com
bee4win.com
proudground.org
devlaur.com
jobmap.at
intecwi.com
123vrachi.ru
denifl-consulting.at
augenta.com
bouquet-de-roses.com
mooglee.com
pogypneu.sk
consultaractadenacimiento.com
justinvieira.com
dekkinngay.com
hkr-reise.de
webhostingsrbija.rs
sw1m.ru
sobreholanda.com
globedivers.wordpress.com
deprobatehelp.com
stampagrafica.es
simplyblessedbykeepingitreal.com
sotsioloogia.ee
vesinhnha.com.vn
lmtprovisions.com
hushavefritid.dk
siluet-decor.ru
xtptrack.com
kath-kirche-gera.de
morawe-krueger.de
stemenstilte.nl
sagadc.com
anteniti.com
zweerscreatives.nl
funjose.org.gt
katiekerr.co.uk
rhinosfootballacademy.com
tastewilliamsburg.com
harpershologram.wordpress.com
eadsmurraypugh.com
hotelzentral.at
wacochamber.com
div-vertriebsforschung.de
coastalbridgeadvisors.com
sanaia.com
themadbotter.com
brandl-blumen.de
mmgdouai.fr
michaelsmeriglioracing.com
apolomarcas.com
otsu-bon.com
ihr-news.jp
malychanieruchomoscipremium.com
ventti.com.ar
friendsandbrgrs.com
modelmaking.nl
deschl.net
architekturbuero-wagner.net
boldcitydowntown.com
lescomtesdemean.be
simoneblum.de
conasmanagement.de
shhealthlaw.com
odiclinic.org
videomarketing.pro
qualitaetstag.de
autodemontagenijmegen.nl
americafirstcommittee.org
surespark.org.uk
yassir.pro
minipara.com
sachnendoc.com
iviaggisonciliegie.it
jyzdesign.com
lapinlviasennus.fi
aminaboutique247.com
whyinterestingly.ru
pasvenska.se
argos.wityu.fund
stingraybeach.com
tetinfo.in
advizewealth.com
burkert-ideenreich.de
werkkring.nl
wari.com.pe
work2live.de
portoesdofarrobo.com
smejump.co.th
creamery201.com
ostheimer.at
luckypatcher-apkz.com
humancondition.com
c-a.co.in
kamahouse.net
unim.su
romeguidedvisit.com
euro-trend.pl
manifestinglab.com
seproc.hn
manijaipur.com
izzi360.com
crediacces.com
buymedical.biz
sarbatkhalsafoundation.org
antenanavi.com
bristolaeroclub.co.uk
jacquin-maquettes.com
forestlakeuca.org.au
blog.solutionsarchitect.guru
hellohope.com
rerekatu.com
tampaallen.com
kaliber.co.jp
hexcreatives.co
conexa4papers.trade
sevenadvertising.com
igfap.com
vetapharma.fr
longislandelderlaw.com
trapiantofue.it
quemargrasa.net
kosterra.com
osterberg.fi
autopfand24.de
koko-nora.dk
cyntox.com
haremnick.com
365questions.org
dsl-ip.de
darnallwellbeing.org.uk
tinkoff-mobayl.ru
vanswigchemdesign.com
farhaani.com
securityfmm.com
bouncingbonanza.com
servicegsm.net
atozdistribution.co.uk
stefanpasch.me
despedidascostablanca.es
kadesignandbuild.co.uk
ncs-graphic-studio.com
puertamatic.es
mrsfieldskc.com
people-biz.com
bastutunnan.se
pmc-services.de
schoellhammer.com
homng.net
handi-jack-llc.com
cwsitservices.co.uk
remcakram.com
ikads.org
carrybrands.nl
pcprofessor.com
insigniapmg.com
pay4essays.net
blood-sports.net
fatfreezingmachines.com
groupe-frayssinet.fr
hhcourier.com
kuntokeskusrok.fi
zimmerei-deboer.de
asgestion.com
coding-marking.com
aunexis.ch
trulynolen.co.uk
lloydconstruction.com
12starhd.online
ilso.net
mezhdu-delom.ru
micahkoleoso.de
asiluxury.com
mank.de
partnertaxi.sk
nokesvilledentistry.com
cite4me.org
nicoleaeschbachorg.wordpress.com
opatrovanie-ako.sk
plastidip.com.ar
citymax-cr.com
polzine.net
jadwalbolanet.info
diversiapsicologia.es
evologic-technologies.com
antonmack.de
takeflat.com
wellplast.se
bordercollie-nim.nl
aselbermachen.com
onlyresultsmarketing.com
shiresresidential.com
aarvorg.com
bloggyboulga.net
tomoiyuma.com
behavioralmedicinespecialists.com
sportiomsportfondsen.nl
iwelt.de
mbxvii.com
drugdevice.org
purposeadvisorsolutions.com
lubetkinmediacompanies.com
roadwarrior.app
unetica.fr
stacyloeb.com
jbbjw.com
urist-bogatyr.ru
elimchan.com
helikoptervluchtnewyork.nl
pmcimpact.com
hiddencitysecrets.com.au
kao.at
toreria.es
qualitus.com
abitur-undwieweiter.de
lbcframingelectrical.com
web.ion.ag
licor43.de
ymca-cw.org.uk
acomprarseguidores.com
admos-gleitlager.de
cranleighscoutgroup.org
tanciu.com
chavesdoareeiro.com
monark.com
wolf-glas-und-kunst.de
insidegarage.pl
ecpmedia.vn
i-trust.dk
ino-professional.ru
whittier5k.com
rota-installations.co.uk
narcert.com
hihaho.com
gamesboard.info
platformier.com
troegs.com
entopic.com
4net.guru
autofolierung-lu.de
destinationclients.fr
judithjansen.com
amylendscrestview.com
nakupunafoundation.org
withahmed.com
blewback.com
dareckleyministries.com
refluxreducer.com
notsilentmd.org
i-arslan.de
jsfg.com
beautychance.se
macabaneaupaysflechois.com
schmalhorst.de
x-ray.ca
ilcdover.com
solinegraphic.com
tenacitytenfold.com
theduke.de
xn--fn-kka.no
ateliergamila.com
executiveairllc.com
skiltogprint.no
chaotrang.com
perbudget.com
xn--fnsterputssollentuna-39b.se
edgewoodestates.org
verbisonline.com
kidbucketlist.com.au
noskierrenteria.com
rollingrockcolumbia.com
jobcenterkenya.com
corona-handles.com
thedresserie.com
oneplusresource.org
smartypractice.com
karacaoglu.nl
thaysa.com
chandlerpd.com
brigitte-erler.com
julis-lsa.de
seevilla-dr-sturm.at
lange.host
thee.network
nvwoodwerks.com
yourobgyn.net
makeflowers.ru
vitavia.lt
celularity.com
aprepol.com
strategicstatements.com
charlesreger.com
schlafsack-test.net
upplandsspar.se
serce.info.pl
coding-machine.com
brawnmediany.com
corola.es
meusharklinithome.wordpress.com
xn--vrftet-pua.biz
frontierweldingllc.com
kissit.ca
321play.com.hk
waveneyrivercentre.co.uk
gasolspecialisten.se
schutting-info.nl
kojima-shihou.com
cuppacap.com
mindpackstudios.com
biapi-coaching.fr
mercantedifiori.com
dr-pipi.de
ra-staudte.de
caribbeansunpoker.com
profectis.de
pointos.com
digi-talents.com
homesdollar.com
maasreusel.nl
pt-arnold.de
porno-gringo.com
arteservicefabbro.com
abuelos.com
xlarge.at
nacktfalter.de
liveottelut.com
fundaciongregal.org
teresianmedia.org
smokeysstoves.com
notmissingout.com
craftleathermnl.com
interactcenter.org
nosuchthingasgovernment.com
financescorecard.com
effortlesspromo.com
grelot-home.com
danubecloud.com
bigasgrup.com
bogdanpeptine.ro
oldschoolfun.net
seitzdruck.com
directwindowco.com
allure-cosmetics.at
nandistribution.nl
starsarecircular.org
fotoscondron.com
baptisttabernacle.com
joseconstela.com
modamilyon.com
groupe-cets.com
body-armour.online
aurum-juweliere.de
ditog.fr
katketytaanet.fi
eaglemeetstiger.de
chefdays.de
bbsmobler.se
allentownpapershow.com
vannesteconstruct.be
pickanose.com
wien-mitte.co.at
veybachcenter.de
kisplanning.com.au
baylegacy.com
appsformacpc.com
supportsumba.nl
drinkseed.com
geoffreymeuli.com
hrabritelefon.hr
iqbalscientific.com
balticdermatology.lt
gaiam.nl
pasivect.co.uk
verytycs.com
tstaffing.nl
advokathuset.dk
new.devon.gov.uk
sabel-bf.com
maratonaclubedeportugal.com
ai-spt.jp
nestor-swiss.ch
creative-waves.co.uk
run4study.com
mapawood.com
klimt2012.info
live-your-life.jp
southeasternacademyofprosthodontics.org
berlin-bamboo-bikes.org
mountaintoptinyhomes.com
actecfoundation.org
galserwis.pl
space.ua
cerebralforce.net
huehnerauge-entfernen.de
greenpark.ch
newyou.at
rafaut.com
kmbshipping.co.uk
norpol-yachting.com
drfoyle.com
abogados-en-alicante.es
kikedeoliveira.com
prochain-voyage.net
dnepr-beskid.com.ua
ontrailsandboulevards.com
rumahminangberdaya.com
fitovitaforum.com
femxarxa.cat
calabasasdigest.com
wasmachtmeinfonds.at
microcirc.net
woodleyacademy.org
socstrp.org
boosthybrid.com.au
aglend.com.au
visiativ-industry.fr
haar-spange.com
urmasiimariiuniri.ro
mariposapropaneaz.com
oceanastudios.com
degroenetunnel.com
celeclub.org
mrtour.site
waermetauscher-berechnen.de
garage-lecompte-rouen.fr
pv-design.de
kindersitze-vergleich.de
aakritpatel.com
herbstfeststaefa.ch
vitalyscenter.es
ilive.lt
mrxermon.de
lebellevue.fr
greenfieldoptimaldentalcare.com
beaconhealthsystem.org
besttechie.com
havecamerawilltravel2017.wordpress.com
evangelische-pfarrgemeinde-tuniberg.de
piajeppesen.dk
amerikansktgodis.se
bridgeloanslenders.com
jorgobe.at
fensterbau-ziegler.de
zimmerei-fl.de
teknoz.net
goodgirlrecovery.com
sahalstore.com
micro-automation.de
bptdmaluku.com
adultgamezone.com
klusbeter.nl
marcuswhitten.site
bricotienda.com
victoriousfestival.co.uk
edelman.jp
vorotauu.ru
berliner-versicherungsvergleich.de
higadograsoweb.com
navyfederalautooverseas.com
balticdentists.com
triactis.com
1kbk.com.ua
the-domain-trader.com
vox-surveys.com
makeurvoiceheard.com
myhealth.net.au
devstyle.org
blgr.be
johnsonfamilyfarmblog.wordpress.com
dw-css.de
mikeramirezcpa.com
love30-chanko.com
patrickfoundation.net
kostenlose-webcams.com
dramagickcom.wordpress.com
iyengaryogacharlotte.com
phantastyk.com
anybookreader.de
bookspeopleplaces.com
nsec.se
zzyjtsgls.com
tux-espacios.com
dr-tremel-rednitzhembach.de
irinaverwer.com
reddysbakery.com
hannah-fink.de
antiaginghealthbenefits.com
camsadviser.com
outcomeisincome.com
tecnojobsnet.com
zflas.com
allamatberedare.se
echtveilig.nl
smalltownideamill.wordpress.com
podsosnami.ru
houseofplus.com
gonzalezfornes.es
ftf.or.at
bouldercafe-wuppertal.de
ausbeverage.com.au
transliminaltribe.wordpress.com
danskretursystem.dk
petnest.ir
deltacleta.cat
marchand-sloboda.com
kalkulator-oszczednosci.pl
carlosja.com
sairaku.net
gw2guilds.org
galleryartfair.com
bierensgebakkramen.nl
jusibe.com
jiloc.com
bhwlawfirm.com
controldekk.com
ziegler-praezisionsteile.de
sterlingessay.com
softsproductkey.com
copystar.co.uk
travelffeine.com
corendonhotels.com
modestmanagement.com
jerling.de
pridoxmaterieel.nl
maryloutaylor.com
spinheal.ru
bargningharnosand.se
punchbaby.com
bsaship.com
milanonotai.it
stoneys.ch
autodujos.lt
imadarchid.com
filmvideoweb.com
edrcreditservices.nl
body-guards.it
centuryrs.com
comarenterprises.com
airconditioning-waalwijk.nl
smithmediastrategies.com
rehabilitationcentersinhouston.net
employeesurveys.com
hashkasolutindo.com
iphoneszervizbudapest.hu
xn--singlebrsen-vergleich-nec.com
cleliaekiko.online
nativeformulas.com
syndikat-asphaltfieber.de
imperfectstore.com
y-archive.com
zieglerbrothers.de
sportsmassoren.com
vloeren-nu.nl
layrshift.eu
neuschelectrical.co.za
theapifactory.com
mediaplayertest.net
plantag.de
erstatningsadvokaterne.dk
operaslovakia.sk
idemblogs.com
htchorst.nl
eraorastudio.com
marathonerpaolo.com
beyondmarcomdotcom.wordpress.com
lusak.at
presseclub-magdeburg.de
latestmodsapks.com
radaradvies.nl
scenepublique.net
ecoledansemulhouse.fr
norovirus-ratgeber.de
smessier.com
satyayoga.de
wmiadmin.com
nijaplay.com
sinal.org
transportesycementoshidalgo.es
zewatchers.com
desert-trails.com
vyhino-zhulebino-24.ru
artige.com
caribdoctor.org
thenewrejuveme.com
faizanullah.com
smhydro.com.pl
stoeberstuuv.de
siliconbeach-realestate.com
shsthepapercut.com
parking.netgateway.eu
nuzech.com
turkcaparbariatrics.com
geisterradler.de
fotoideaymedia.es
embracinghiscall.com
plv.media
tonelektro.nl
pocket-opera.de
winrace.no
maineemploymentlawyerblog.com
huesges-gruppe.de
insp.bi
socialonemedia.com
villa-marrakesch.de
calxplus.eu
danielblum.info
ncuccr.org
harveybp.com
atmos-show.com
walter-lemm.de
testcoreprohealthuk.com
huissier-creteil.com
backstreetpub.com
vibehouse.rw
trackyourconstruction.com
sloverse.com
vickiegrayimages.com
leather-factory.co.jp
cursosgratuitosnainternet.com
theadventureedge.com
psc.de
milltimber.aberdeen.sch.uk
d2marketing.co.uk
real-estate-experts.com
paulisdogshop.de
psnacademy.in
spd-ehningen.de
tradiematepro.com.au
35-40konkatsu.net
spectrmash.ru
analiticapublica.es
filmstreamingvfcomplet.be
campusoutreach.org
xoabigail.com
centromarysalud.com
lightair.com
bayoga.co.uk
8449nohate.org
myteamgenius.com
delawarecorporatelaw.com
spylista.com
schraven.de
alten-mebel63.ru
christinarebuffetcourses.com
carriagehousesalonvt.com
kampotpepper.gives
bigler-hrconsulting.ch
triggi.de
parebrise-tla.fr
charlottepoudroux-photographie.fr
manutouchmassage.com
ki-lowroermond.nl
tennisclubetten.nl
labobit.it
noesis.tech
promalaga.es
dirittosanitario.biz
adoptioperheet.fi
wychowanieprzedszkolne.pl
coursio.com
launchhubl.com
tips.technology
tigsltd.com
gporf.fr
csgospeltips.se
rimborsobancario.net
littlebird.salon
faroairporttransfers.net
fizzl.ru
rushhourappliances.com
christ-michael.net
deoudedorpskernnoordwijk.nl
courteney-cox.net
dr-seleznev.com
parkstreetauto.net
lucidinvestbank.com
krcove-zily.eu
atalent.fi
stopilhan.com
blossombeyond50.com
extensionmaison.info
marketingsulweb.com
olejack.ru
ahouseforlease.com
onlybacklink.com
hairstylesnow.site
anthonystreetrimming.com
xn--rumung-bua.online
accountancywijchen.nl
cirugiauretra.es
abogadosaccidentetraficosevilla.es
trystana.com
verifort-capital.de
rocketccw.com
blogdecachorros.com
kingfamily.construction
fibrofolliculoma.info
tinyagency.com
hmsdanmark.dk
tongdaifpthaiphong.net
bigbaguettes.eu
tandartspraktijkhartjegroningen.nl
roygolden.com
urclan.net
sporthamper.com
shiftinspiration.com
teczowadolina.bytom.pl
saarland-thermen-resort.com
fitnessingbyjessica.com
apprendrelaudit.com
moveonnews.com
comparatif-lave-linge.fr
spargel-kochen.de
penco.ie
vancouver-print.ca
first-2-aid-u.com
naswrrg.org
bargningavesta.se
dushka.ua
falcou.fr
thomasvicino.com
cafemattmeera.com
kojinsaisei.info
mooshine.com
corelifenutrition.com
bxdf.info
sojamindbody.com
thedad.com
associacioesportivapolitg.cat
hotelsolbh.com.br
andersongilmour.co.uk
kaminscy.com
miraclediet.fun
naturstein-hotte.de
foretprivee.ca
art2gointerieurprojecten.nl
cimanchesterescorts.co.uk
artallnightdc.com
tarotdeseidel.com
coffreo.biz
finde-deine-marke.de
hardinggroup.com
agence-referencement-naturel-geneve.net
noixdecocom.fr
dlc.berlin
ausair.com.au
shonacox.com
gopackapp.com
truenyc.co
henricekupper.com
tuuliautio.fi
maxadams.london
naturavetal.hr
madinblack.com
spacecitysisters.org
zervicethai.co.th
wurmpower.at
ncid.bc.ca
alfa-stroy72.com
heurigen-bauer.at
fayrecreations.com
parkcf.nl
synlab.lt
tanzschule-kieber.de
sla-paris.com
ogdenvision.com
bimnapratica.com
readberserk.com
austinlchurch.com
happyeasterimages.org
delchacay.com.ar
gemeentehetkompas.nl
igrealestate.com
jakekozmor.com
peterstrobos.com
dubnew.com
gastsicht.de
commonground-stories.com
crowcanyon.com
darrenkeslerministries.com
pivoineetc.fr
thefixhut.com
mepavex.nl
upmrkt.co
assurancesalextrespaille.fr
innote.fi
lorenacarnero.com
hokagestore.com
figura.team
offroadbeasts.com
theclubms.com
spsshomeworkhelp.com
restaurantesszimmer.de
joyeriaorindia.com
iyahayki.nl
cnoia.org
linnankellari.fi
flexicloud.hk
mylovelybluesky.com
worldhealthbasicinfo.com
ohidesign.com
sauschneider.info
praxis-management-plus.de
steampluscarpetandfloors.com
mbfagency.com
talentwunder.com
pomodori-pizzeria.de
vdberg-autoimport.nl
freie-gewerkschaften.de
mdacares.com
songunceliptv.com
drnice.de
pcp-nc.com
em-gmbh.ch
lapmangfpt.info.vn
oslomf.no
brevitempore.net
dpo-as-a-service.com
mastertechengineering.com
dutchcoder.nl
exenberger.at
solhaug.tk
theshungiteexperience.com.au
shadebarandgrillorlando.com
jasonbaileystudio.com
grupocarvalhoerodrigues.com.br
colorofhorses.com
gmto.fr
highlinesouthasc.com
streamerzradio1.site
zonamovie21.net
durganews.com
symphonyenvironmental.com
commercialboatbuilding.com
saka.gr
castillobalduz.es
jenniferandersonwriter.com
architecturalfiberglass.org
knowledgemuseumbd.com
xn--thucmctc-13a1357egba.com
webcodingstudio.com
fitnessbazaar.com
lascuola.nl
waynela.com
philippedebroca.com
slimani.net
lapinvihreat.fi
edv-live.de
slimidealherbal.com
blumenhof-wegleitner.at
poultrypartners.nl
fransespiegels.nl
midmohandyman.com
mytechnoway.com
enovos.de
croftprecision.co.uk
deepsouthclothingcompany.com
bildungsunderlebnis.haus
westdeptfordbuyrite.com
muamuadolls.com
ligiercenter-sachsen.de
facettenreich27.de
limassoldriving.com
extraordinaryoutdoors.com
myzk.site
pubweb.carnet.hr
collaborativeclassroom.org
highimpactoutdoors.net
ivfminiua.com
tophumanservicescourses.com
mousepad-direkt.de
sweering.fr
miriamgrimm.de
kevinjodea.com
simpkinsedwards.co.uk
sportverein-tambach.de
ccpbroadband.com
mrsplans.net
jameskibbie.com
almosthomedogrescue.dog
pelorus.group
dutchbrewingcoffee.com
educar.org
crowd-patch.co.uk
hypozentrum.com
lenreactiv-shop.ru
stemplusacademy.com
baronloan.org
id-et-d.fr
testzandbakmetmening.online
gymnasedumanagement.com
jandaonline.com
kariokids.com
panelsandwichmadrid.es
oneheartwarriors.at
precisionbevel.com
kafu.ch
koken-voor-baby.nl
faronics.com
associationanalytics.com
ladelirante.fr
humanityplus.org
babcockchurch.org
xn--logopdie-leverkusen-kwb.de
plotlinecreative.com
oncarrot.com
herbayupro.com
abogadosadomicilio.es
ceres.org.au
sofavietxinh.com
eco-southafrica.com
mylolis.com
lichencafe.com
you-bysia.com.au
icpcnj.org
sanyue119.com
hugoversichert.de
logopaedie-blomberg.de
mediaclan.info
lynsayshepherd.co.uk
schoolofpassivewealth.com
heliomotion.com
answerstest.ru
milestoneshows.com
saxtec.com
dontpassthepepper.com
instatron.net
bauertree.com
ianaswanson.com
bodyforwife.com
eglectonk.online
d1franchise.com
freie-baugutachterpraxis.de
gasbarre.com
hoteledenpadova.it
luxurytv.jp
global-kids.info
kunze-immobilien.de
ungsvenskarna.se
wraithco.com
caffeinternet.it
carolinepenn.com
latribuessentielle.com
dezatec.es
101gowrie.com
allfortheloveofyou.com
2ekeus.nl
cuspdental.com
kamienny-dywan24.pl
datacenters-in-europe.com
n1-headache.com
kaotikkustomz.com
importardechina.info
agence-chocolat-noir.com
thewellnessmimi.com
hvccfloorcare.com
catholicmusicfest.com
bunburyfreightservices.com.au
resortmtn.com
itelagen.com
igorbarbosa.com
tsklogistik.eu
slashdb.com
cactusthebrand.com
revezlimage.com
markelbroch.com
stormwall.se
merzi.info
boulderwelt-muenchen-west.de
completeweddingkansas.com
nmiec.com
birnam-wood.com
epwritescom.wordpress.com
quizzingbee.com
esope-formation.fr
seagatesthreecharters.com
pferdebiester.de
mardenherefordshire-pc.gov.uk
fannmedias.com
leda-ukraine.com.ua
jvanvlietdichter.nl
paradicepacks.com
simulatebrain.com
tanzprojekt.com
cortec-neuro.com
forskolorna.org
wsoil.com.sg
clos-galant.com
deko4you.at
polymedia.dk
gratispresent.se
otto-bollmann.de
basisschooldezonnewijzer.nl
skanah.com
physiofischer.de
theletter.company
makeitcount.at
polychromelabs.com
strandcampingdoonbeg.com
mountsoul.de
id-vet.com
maureenbreezedancetheater.org
crosspointefellowship.church
abogadoengijon.es
binder-buerotechnik.at
aodaichandung.com
jolly-events.com
thailandholic.com
yousay.site
jeanlouissibomana.com
mdk-mediadesign.de
levihotelspa.fi
mooreslawngarden.com
memaag.com
live-con-arte.de
daniel-akermann-architektur-und-planung.ch
marietteaernoudts.nl
thomas-hospital.de
nataschawessels.com
pinkexcel.com
bradynursery.com
musictreehouse.net
lillegrandpalais.com
journeybacktolife.com
cityorchardhtx.com
pier40forall.org
renergysolution.com
vermoote.de
levdittliv.se
torgbodenbollnas.se
tandartspraktijkheesch.nl
international-sound-awards.com
digivod.de
seminoc.com
walkingdeadnj.com
lykkeliv.net
argenblogs.com.ar
suncrestcabinets.ca
personalenhancementcenter.com
dinslips.se
systemate.dk
biortaggivaldelsa.com
greenko.pl
rozemondcoaching.nl
connectedace.com
-
net
true
-
pid
$2a$10$t3DhTruaNQkuwj0ZThetBO76elGNsuZ6qHEDd9eLbWXl1fJiNkEUq
-
prc
infopath
sql
mydesktopqos
excel
powerpnt
xfssvccon
msaccess
encsvc
wordpad
firefox
ocssd
dbsnmp
steam
ocautoupds
synctime
dbeng50
winword
agntsvc
oracle
tbirdconfig
thebat
mspub
ocomm
sqbcoreservice
outlook
mydesktopservice
onenote
visio
isqlplussvc
thunderbird
-
ransom_oneliner
...ALL YOUR FILES ARE BLOCKED AND CAN BE LOST SOON... Urgently find: {EXT}-README.txt in folders or on your desktop! YOU HAVE A FEW DAYS OR A FILE WILL BE LOST FOREVER !!!
-
ransom_template
Sorry, but your files are locked due to a critical error in your system. The extension of your files is now "{EXT}". If you yourself want to decrypt the files - you will lose them FOREVER. You have to pay get your file decoder. DO NOT TAKE TIME, you have SEVERAL DAYS to pay, otherwise the cost of the decoder will double. How to do it is written below. If you cannot do it yourself, then search the Internet for file recovery services in your country or city. Go to the page through the browser: http://decryptor.cc/{UID} If your site does not open, then download the TOR browser (https://torproject.org/). If you can’t access the download page of the TOR browser, then download the VPN! After you install the TOR browser on your computer go to the site: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} After going to the site, enter the following code: {KEY}
-
sub
3612
-
svc
sql
sophos
mepocs
memtas
backup
vss
veeam
svc$
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exedescription ioc process File renamed C:\Users\Admin\Pictures\WaitProtect.crw => \??\c:\users\admin\pictures\WaitProtect.crw.456ubtz 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\users\admin\pictures\OptimizeUse.tiff 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File renamed C:\Users\Admin\Pictures\ConvertFromGroup.raw => \??\c:\users\admin\pictures\ConvertFromGroup.raw.456ubtz 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File renamed C:\Users\Admin\Pictures\NewMount.raw => \??\c:\users\admin\pictures\NewMount.raw.456ubtz 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File renamed C:\Users\Admin\Pictures\OptimizeUse.tiff => \??\c:\users\admin\pictures\OptimizeUse.tiff.456ubtz 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File renamed C:\Users\Admin\Pictures\StepSet.raw => \??\c:\users\admin\pictures\StepSet.raw.456ubtz 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File renamed C:\Users\Admin\Pictures\UnpublishInstall.png => \??\c:\users\admin\pictures\UnpublishInstall.png.456ubtz 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oXnEn2JlQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe" 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exedescription ioc process File opened (read-only) \??\N: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\Q: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\E: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\L: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\M: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\V: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\D: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\H: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\J: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\P: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\S: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\U: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\Y: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\Z: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\G: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\O: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\F: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\I: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\K: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\R: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\T: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\W: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\A: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\B: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened (read-only) \??\X: 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\35lqzpmos.bmp" 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe -
Drops file in Program Files directory 31 IoCs
Processes:
37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exedescription ioc process File created \??\c:\program files\456ubtz-README.txt 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\DismountRepair.asf 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\ProtectInvoke.htm 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\ResizeSubmit.fon 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\AssertLock.vsx 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\MergeJoin.html 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\ClearLock.mht 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\GrantSubmit.wmv 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\HideMove.midi 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\LockShow.M2V 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\PingDismount.tiff 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\InvokeMerge.mp4 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\ResolveTrace.jtx 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\UseUpdate.svgz 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\WaitUnlock.zip 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\SearchRemove.avi 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\SubmitConvert.clr 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\UnregisterStep.pcx 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\AssertCheckpoint.MTS 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\CopyCheckpoint.TTS 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\InstallRemove.xla 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\LimitSearch.xml 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\RestartUpdate.html 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File created \??\c:\program files (x86)\456ubtz-README.txt 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\CopyInvoke.xls 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\DenyShow.tif 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\RedoUnprotect.png 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\RevokeOut.css 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\SubmitSync.mhtml 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\ConvertToOut.potx 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe File opened for modification \??\c:\program files\DisconnectComplete.scf 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe -
Processes:
37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85A408C09C193E5D51587DCDD61330FD8CDE37BF 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85A408C09C193E5D51587DCDD61330FD8CDE37BF\Blob = 0f0000000100000014000000ff99b1116eca7b69f516900dea2d12202453b5110b0000000100000036000000440065007500740073006300680065002000540065006c0065006b006f006d00200052006f006f007400200043004100200032000000620000000100000020000000b6191a50d0c3977f7da99bcdaac86a227daeb9679ec70ba3b0c9d92271c170d3090000000100000020000000301e06082b0601050507030206082b0601050507030406082b0601050507030114000000010000001400000031c3791bbaf553d717e0897a2d176c0ab32b9d331d000000010000001000000048c1184e28125121aeeef1a32ce0d46703000000010000001400000085a408c09c193e5d51587dcdd61330fd8cde37bf2000000001000000a30300003082039f30820287a003020102020126300d06092a864886f70d01010505003071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f742043412032301e170d3939303730393132313130305a170d3139303730393233353930305a3071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f74204341203230820122300d06092a864886f70d01010105000382010f003082010a0282010100ab0ba335e08b2914b11485af3c10e4396f355d4aaeddea618d9549f46f64a31a6066a4a9402284d9d4a5e578930e6801adb94d5c3aced3b8a84240dfcfa3ba82596a921bac1c9ada082b2527f9692347f1e0eb2c7a9bf51302d07e347cc29e3c0059abf5da0cf5323c2bac50dad6c3de8394caa80c99320e0848565b6afbdae1585801495f72413c1506018e5dadaab893b4cd9eeba7e86a2d5234db3aef5c7551dadbf331f9ee719832c45415440cf99b55edaddf1808a0a3868a49ee53058f194cd5de58799bd26a1c42abc5d5a7cf680f96e4e161987661c8917cd63e00e2915087e19d0ae6ad97d21dc63a7dcbbcda0334d58e5b01f56a07b716b66e4a7f0203010001a3423040301d0603551d0e0416041431c3791bbaf553d717e0897a2d176c0ab32b9d33300f0603551d13040830060101ff020105300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100946459ad3964e729eb13fe5ac38b1357c80424f07477c060e367fbe989a683bf96827c6ed4c33def9e806ebb29b4987ab13b54eb3917477e1a8e0bfc1f31593104b2ce17f32cc7623655e222d88955b49848aa64fad61c36d844785a5a233a5797f57a304fae9f6a4c4b2b8ea003e33ee0a9d4d27bd2b3a8e2723cad9eff8059e49b45b4f63bb0cd39199832e5ea216190e431218e34b1f72f354a8510dae78a3721be5963e0f285883153d45414857079f42e067727752f1fb88af9fec5bad836e483ece765b7bf635af346af819437d4418cd623d61ecff5681b4463a25abaa73559a1e570059b0e235799940a6dba3963288692f31884d8fbd1cf05566457 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85A408C09C193E5D51587DCDD61330FD8CDE37BF\Blob = 04000000010000001000000074014a91b108c458ce47cdf0dd11530803000000010000001400000085a408c09c193e5d51587dcdd61330fd8cde37bf1d000000010000001000000048c1184e28125121aeeef1a32ce0d46714000000010000001400000031c3791bbaf553d717e0897a2d176c0ab32b9d33090000000100000020000000301e06082b0601050507030206082b0601050507030406082b06010505070301620000000100000020000000b6191a50d0c3977f7da99bcdaac86a227daeb9679ec70ba3b0c9d92271c170d30b0000000100000036000000440065007500740073006300680065002000540065006c0065006b006f006d00200052006f006f0074002000430041002000320000000f0000000100000014000000ff99b1116eca7b69f516900dea2d12202453b5112000000001000000a30300003082039f30820287a003020102020126300d06092a864886f70d01010505003071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f742043412032301e170d3939303730393132313130305a170d3139303730393233353930305a3071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f74204341203230820122300d06092a864886f70d01010105000382010f003082010a0282010100ab0ba335e08b2914b11485af3c10e4396f355d4aaeddea618d9549f46f64a31a6066a4a9402284d9d4a5e578930e6801adb94d5c3aced3b8a84240dfcfa3ba82596a921bac1c9ada082b2527f9692347f1e0eb2c7a9bf51302d07e347cc29e3c0059abf5da0cf5323c2bac50dad6c3de8394caa80c99320e0848565b6afbdae1585801495f72413c1506018e5dadaab893b4cd9eeba7e86a2d5234db3aef5c7551dadbf331f9ee719832c45415440cf99b55edaddf1808a0a3868a49ee53058f194cd5de58799bd26a1c42abc5d5a7cf680f96e4e161987661c8917cd63e00e2915087e19d0ae6ad97d21dc63a7dcbbcda0334d58e5b01f56a07b716b66e4a7f0203010001a3423040301d0603551d0e0416041431c3791bbaf553d717e0897a2d176c0ab32b9d33300f0603551d13040830060101ff020105300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100946459ad3964e729eb13fe5ac38b1357c80424f07477c060e367fbe989a683bf96827c6ed4c33def9e806ebb29b4987ab13b54eb3917477e1a8e0bfc1f31593104b2ce17f32cc7623655e222d88955b49848aa64fad61c36d844785a5a233a5797f57a304fae9f6a4c4b2b8ea003e33ee0a9d4d27bd2b3a8e2723cad9eff8059e49b45b4f63bb0cd39199832e5ea216190e431218e34b1f72f354a8510dae78a3721be5963e0f285883153d45414857079f42e067727752f1fb88af9fec5bad836e483ece765b7bf635af346af819437d4418cd623d61ecff5681b4463a25abaa73559a1e570059b0e235799940a6dba3963288692f31884d8fbd1cf05566457 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85A408C09C193E5D51587DCDD61330FD8CDE37BF\Blob = 1900000001000000100000000790dd35d0de1a5516689a62748c58eb0f0000000100000014000000ff99b1116eca7b69f516900dea2d12202453b5110b0000000100000036000000440065007500740073006300680065002000540065006c0065006b006f006d00200052006f006f007400200043004100200032000000620000000100000020000000b6191a50d0c3977f7da99bcdaac86a227daeb9679ec70ba3b0c9d92271c170d3090000000100000020000000301e06082b0601050507030206082b0601050507030406082b0601050507030114000000010000001400000031c3791bbaf553d717e0897a2d176c0ab32b9d331d000000010000001000000048c1184e28125121aeeef1a32ce0d46703000000010000001400000085a408c09c193e5d51587dcdd61330fd8cde37bf04000000010000001000000074014a91b108c458ce47cdf0dd1153082000000001000000a30300003082039f30820287a003020102020126300d06092a864886f70d01010505003071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f742043412032301e170d3939303730393132313130305a170d3139303730393233353930305a3071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f74204341203230820122300d06092a864886f70d01010105000382010f003082010a0282010100ab0ba335e08b2914b11485af3c10e4396f355d4aaeddea618d9549f46f64a31a6066a4a9402284d9d4a5e578930e6801adb94d5c3aced3b8a84240dfcfa3ba82596a921bac1c9ada082b2527f9692347f1e0eb2c7a9bf51302d07e347cc29e3c0059abf5da0cf5323c2bac50dad6c3de8394caa80c99320e0848565b6afbdae1585801495f72413c1506018e5dadaab893b4cd9eeba7e86a2d5234db3aef5c7551dadbf331f9ee719832c45415440cf99b55edaddf1808a0a3868a49ee53058f194cd5de58799bd26a1c42abc5d5a7cf680f96e4e161987661c8917cd63e00e2915087e19d0ae6ad97d21dc63a7dcbbcda0334d58e5b01f56a07b716b66e4a7f0203010001a3423040301d0603551d0e0416041431c3791bbaf553d717e0897a2d176c0ab32b9d33300f0603551d13040830060101ff020105300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100946459ad3964e729eb13fe5ac38b1357c80424f07477c060e367fbe989a683bf96827c6ed4c33def9e806ebb29b4987ab13b54eb3917477e1a8e0bfc1f31593104b2ce17f32cc7623655e222d88955b49848aa64fad61c36d844785a5a233a5797f57a304fae9f6a4c4b2b8ea003e33ee0a9d4d27bd2b3a8e2723cad9eff8059e49b45b4f63bb0cd39199832e5ea216190e431218e34b1f72f354a8510dae78a3721be5963e0f285883153d45414857079f42e067727752f1fb88af9fec5bad836e483ece765b7bf635af346af819437d4418cd623d61ecff5681b4463a25abaa73559a1e570059b0e235799940a6dba3963288692f31884d8fbd1cf05566457 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85A408C09C193E5D51587DCDD61330FD8CDE37BF\Blob = 5c00000001000000040000000008000004000000010000001000000074014a91b108c458ce47cdf0dd11530803000000010000001400000085a408c09c193e5d51587dcdd61330fd8cde37bf1d000000010000001000000048c1184e28125121aeeef1a32ce0d46714000000010000001400000031c3791bbaf553d717e0897a2d176c0ab32b9d33090000000100000020000000301e06082b0601050507030206082b0601050507030406082b06010505070301620000000100000020000000b6191a50d0c3977f7da99bcdaac86a227daeb9679ec70ba3b0c9d92271c170d30b0000000100000036000000440065007500740073006300680065002000540065006c0065006b006f006d00200052006f006f0074002000430041002000320000000f0000000100000014000000ff99b1116eca7b69f516900dea2d12202453b5111900000001000000100000000790dd35d0de1a5516689a62748c58eb2000000001000000a30300003082039f30820287a003020102020126300d06092a864886f70d01010505003071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f742043412032301e170d3939303730393132313130305a170d3139303730393233353930305a3071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f74204341203230820122300d06092a864886f70d01010105000382010f003082010a0282010100ab0ba335e08b2914b11485af3c10e4396f355d4aaeddea618d9549f46f64a31a6066a4a9402284d9d4a5e578930e6801adb94d5c3aced3b8a84240dfcfa3ba82596a921bac1c9ada082b2527f9692347f1e0eb2c7a9bf51302d07e347cc29e3c0059abf5da0cf5323c2bac50dad6c3de8394caa80c99320e0848565b6afbdae1585801495f72413c1506018e5dadaab893b4cd9eeba7e86a2d5234db3aef5c7551dadbf331f9ee719832c45415440cf99b55edaddf1808a0a3868a49ee53058f194cd5de58799bd26a1c42abc5d5a7cf680f96e4e161987661c8917cd63e00e2915087e19d0ae6ad97d21dc63a7dcbbcda0334d58e5b01f56a07b716b66e4a7f0203010001a3423040301d0603551d0e0416041431c3791bbaf553d717e0897a2d176c0ab32b9d33300f0603551d13040830060101ff020105300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100946459ad3964e729eb13fe5ac38b1357c80424f07477c060e367fbe989a683bf96827c6ed4c33def9e806ebb29b4987ab13b54eb3917477e1a8e0bfc1f31593104b2ce17f32cc7623655e222d88955b49848aa64fad61c36d844785a5a233a5797f57a304fae9f6a4c4b2b8ea003e33ee0a9d4d27bd2b3a8e2723cad9eff8059e49b45b4f63bb0cd39199832e5ea216190e431218e34b1f72f354a8510dae78a3721be5963e0f285883153d45414857079f42e067727752f1fb88af9fec5bad836e483ece765b7bf635af346af819437d4418cd623d61ecff5681b4463a25abaa73559a1e570059b0e235799940a6dba3963288692f31884d8fbd1cf05566457 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exepowershell.exepid process 2204 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe 2204 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe 4008 powershell.exe 4008 powershell.exe 4008 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2204 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe Token: SeDebugPrivilege 4008 powershell.exe Token: SeBackupPrivilege 3496 vssvc.exe Token: SeRestorePrivilege 3496 vssvc.exe Token: SeAuditPrivilege 3496 vssvc.exe Token: SeTakeOwnershipPrivilege 2204 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exedescription pid process target process PID 2204 wrote to memory of 4008 2204 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe powershell.exe PID 2204 wrote to memory of 4008 2204 37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe"C:\Users\Admin\AppData\Local\Temp\37b8da186e1d26247f942dab67b5d6d24e0acb0d7fc3c583d4cad99fb36c2bc6.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2204-114-0x0000000000A20000-0x0000000000A4B000-memory.dmpFilesize
172KB
-
memory/2204-115-0x0000000000400000-0x00000000008C1000-memory.dmpFilesize
4.8MB
-
memory/4008-116-0x0000000000000000-mapping.dmp
-
memory/4008-121-0x0000021B6CE90000-0x0000021B6CE91000-memory.dmpFilesize
4KB
-
memory/4008-123-0x0000021B6CF50000-0x0000021B6CF52000-memory.dmpFilesize
8KB
-
memory/4008-125-0x0000021B6CF53000-0x0000021B6CF55000-memory.dmpFilesize
8KB
-
memory/4008-126-0x0000021B6D060000-0x0000021B6D061000-memory.dmpFilesize
4KB
-
memory/4008-136-0x0000021B6CF56000-0x0000021B6CF58000-memory.dmpFilesize
8KB