Analysis
-
max time kernel
130s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
17-06-2021 19:25
Static task
static1
Behavioral task
behavioral1
Sample
98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe
Resource
win10v20210410
General
-
Target
98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe
-
Size
333KB
-
MD5
229da2b80073aed77526aaa0f9445334
-
SHA1
af4b369fc2a8e89f5fb57f22e8b6bc492107fd79
-
SHA256
98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c
-
SHA512
78b68e413f44c830e0783f2154e4ff879bb5074eda53cc16218ebb15c2e19c35fd46b22bfd61823df9ce1f1cf8075b12974d435c30aa5348a97db92c5aac6636
Malware Config
Extracted
C:\6jgk7-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7BDCF551536BD696
http://decoder.re/7BDCF551536BD696
Extracted
sodinokibi
$2a$12$sr6NKOt2ZvX04hjSD0n/KOtg0WxsKt.tVJ6CFQibmYWNlVrpbBc9i
8013
porno-gringo.com
highimpactoutdoors.net
nijaplay.com
ravensnesthomegoods.com
alhashem.net
echtveilig.nl
karacaoglu.nl
theapifactory.com
zimmerei-deboer.de
craigvalentineacademy.com
exenberger.at
linnankellari.fi
zewatchers.com
koko-nora.dk
plv.media
modamilyon.com
galserwis.pl
rehabilitationcentersinhouston.net
danskretursystem.dk
iwelt.de
no-plans.com
coursio.com
schmalhorst.de
johnsonfamilyfarmblog.wordpress.com
myhealth.net.au
ino-professional.ru
c-a.co.in
bsaship.com
iyahayki.nl
daniel-akermann-architektur-und-planung.ch
skanah.com
retroearthstudio.com
csgospeltips.se
balticdermatology.lt
noskierrenteria.com
fotoscondron.com
groupe-cets.com
koken-voor-baby.nl
deschl.net
mank.de
rollingrockcolumbia.com
cirugiauretra.es
coding-marking.com
edv-live.de
autodujos.lt
almosthomedogrescue.dog
smokeysstoves.com
sagadc.com
fatfreezingmachines.com
romeguidedvisit.com
fairfriends18.de
augenta.com
chandlerpd.com
filmvideoweb.com
ra-staudte.de
stopilhan.com
fitnessbazaar.com
justinvieira.com
spd-ehningen.de
trapiantofue.it
crowd-patch.co.uk
tanciu.com
insigniapmg.com
alten-mebel63.ru
danielblum.info
nuzech.com
nativeformulas.com
sevenadvertising.com
klusbeter.nl
carolinepenn.com
xoabigail.com
jadwalbolanet.info
insp.bi
kingfamily.construction
allamatberedare.se
planchaavapor.net
vannesteconstruct.be
abuelos.com
dw-css.de
kaminscy.com
launchhubl.com
daklesa.de
strategicstatements.com
fiscalsort.com
naturalrapids.com
beautychance.se
gaiam.nl
toreria.es
lebellevue.fr
oncarrot.com
jakekozmor.com
solerluethi-allart.ch
fitnessingbyjessica.com
antiaginghealthbenefits.com
pubweb.carnet.hr
serce.info.pl
iyengaryogacharlotte.com
forskolorna.org
lucidinvestbank.com
rksbusiness.com
associationanalytics.com
nmiec.com
lecantou-coworking.com
bayoga.co.uk
buroludo.nl
pivoineetc.fr
lbcframingelectrical.com
durganews.com
journeybacktolife.com
fundaciongregal.org
cyntox.com
humancondition.com
huehnerauge-entfernen.de
abogadoengijon.es
oslomf.no
kissit.ca
denovofoodsgroup.com
besttechie.com
makeflowers.ru
parks-nuernberg.de
gymnasedumanagement.com
tomoiyuma.com
nurturingwisdom.com
smale-opticiens.nl
knowledgemuseumbd.com
poultrypartners.nl
apolomarcas.com
helenekowalsky.com
teczowadolina.bytom.pl
homesdollar.com
new.devon.gov.uk
chaotrang.com
vickiegrayimages.com
socstrp.org
DupontSellsHomes.com
pcprofessor.com
psa-sec.de
newyou.at
reddysbakery.com
slimani.net
chatizel-paysage.fr
drinkseed.com
conasmanagement.de
tuuliautio.fi
mepavex.nl
ausbeverage.com.au
tastewilliamsburg.com
cnoia.org
trystana.com
gastsicht.de
12starhd.online
commercialboatbuilding.com
eglectonk.online
aodaichandung.com
lorenacarnero.com
kao.at
tecnojobsnet.com
deepsouthclothingcompany.com
pmcimpact.com
associacioesportivapolitg.cat
crediacces.com
bookspeopleplaces.com
cwsitservices.co.uk
xn--rumung-bua.online
licor43.de
ivfminiua.com
peterstrobos.com
bimnapratica.com
seevilla-dr-sturm.at
truenyc.co
systemate.dk
ecopro-kanto.com
renergysolution.com
blood-sports.net
epwritescom.wordpress.com
zervicethai.co.th
sanyue119.com
wurmpower.at
craigmccabe.fun
mediaplayertest.net
1kbk.com.ua
luckypatcher-apkz.com
mousepad-direkt.de
piajeppesen.dk
vancouver-print.ca
moveonnews.com
iphoneszervizbudapest.hu
parking.netgateway.eu
aglend.com.au
rostoncastings.co.uk
polychromelabs.com
sporthamper.com
quizzingbee.com
jiloc.com
finde-deine-marke.de
sabel-bf.com
space.ua
liliesandbeauties.org
blossombeyond50.com
saka.gr
advokathuset.dk
jerling.de
devok.info
sanaia.com
hellohope.com
aniblinova.wordpress.com
montrium.com
ecpmedia.vn
lange.host
dpo-as-a-service.com
euro-trend.pl
beyondmarcomdotcom.wordpress.com
hiddencitysecrets.com.au
dublikator.com
bigler-hrconsulting.ch
vanswigchemdesign.com
operaslovakia.sk
klimt2012.info
austinlchurch.com
ampisolabergeggi.it
bricotienda.com
x-ray.ca
plastidip.com.ar
atmos-show.com
vibehouse.rw
ungsvenskarna.se
mrtour.site
richard-felix.co.uk
1team.es
verbisonline.com
roygolden.com
vloeren-nu.nl
hairstylesnow.site
nandistribution.nl
degroenetunnel.com
advizewealth.com
dekkinngay.com
hashkasolutindo.com
raschlosser.de
makeitcount.at
trackyourconstruction.com
kalkulator-oszczednosci.pl
i-trust.dk
selfoutlet.com
admos-gleitlager.de
pasivect.co.uk
lefumetdesdombes.com
nsec.se
campus2day.de
comparatif-lave-linge.fr
julis-lsa.de
deko4you.at
stormwall.se
body-guards.it
catholicmusicfest.com
basisschooldezonnewijzer.nl
miraclediet.fun
lightair.com
zonamovie21.net
psnacademy.in
celularity.com
bbsmobler.se
woodworkersolution.com
berliner-versicherungsvergleich.de
adultgamezone.com
live-con-arte.de
quickyfunds.com
teknoz.net
ralister.co.uk
smart-light.co.uk
kindersitze-vergleich.de
brawnmediany.com
balticdentists.com
puertamatic.es
antenanavi.com
southeasternacademyofprosthodontics.org
kostenlose-webcams.com
kaotikkustomz.com
uranus.nl
tinkoff-mobayl.ru
charlesreger.com
jorgobe.at
cursoporcelanatoliquido.online
transliminaltribe.wordpress.com
kariokids.com
katketytaanet.fi
philippedebroca.com
101gowrie.com
michaelsmeriglioracing.com
gasolspecialisten.se
collaborativeclassroom.org
norpol-yachting.com
wsoil.com.sg
erstatningsadvokaterne.dk
takeflat.com
jenniferandersonwriter.com
gadgetedges.com
farhaani.com
mooglee.com
run4study.com
colorofhorses.com
lapinvihreat.fi
tandartspraktijkheesch.nl
lionware.de
datacenters-in-europe.com
mindpackstudios.com
outcomeisincome.com
jolly-events.com
sterlingessay.com
international-sound-awards.com
jeanlouissibomana.com
pv-design.de
burkert-ideenreich.de
thomas-hospital.de
ateliergamila.com
conexa4papers.trade
bestbet.com
kidbucketlist.com.au
thedresserie.com
accountancywijchen.nl
ladelirante.fr
kisplanning.com.au
sofavietxinh.com
herbayupro.com
ncid.bc.ca
assurancesalextrespaille.fr
alvinschwartz.wordpress.com
cite4me.org
juneauopioidworkgroup.org
promesapuertorico.com
kunze-immobilien.de
parkcf.nl
oneheartwarriors.at
biapi-coaching.fr
kenhnoithatgo.com
behavioralmedicinespecialists.com
architecturalfiberglass.org
bildungsunderlebnis.haus
bodyfulls.com
schoolofpassivewealth.com
rieed.de
bouquet-de-roses.com
rota-installations.co.uk
rhinosfootballacademy.com
starsarecircular.org
artige.com
remcakram.com
smejump.co.th
effortlesspromo.com
samnewbyjax.com
heurigen-bauer.at
milanonotai.it
igorbarbosa.com
lescomtesdemean.be
rozemondcoaching.nl
sipstroysochi.ru
xltyu.com
monark.com
corona-handles.com
aunexis.ch
eadsmurraypugh.com
wolf-glas-und-kunst.de
simulatebrain.com
baronloan.org
xlarge.at
blumenhof-wegleitner.at
manijaipur.com
ymca-cw.org.uk
purposeadvisorsolutions.com
bogdanpeptine.ro
bastutunnan.se
odiclinic.org
zso-mannheim.de
stampagrafica.es
myzk.site
bodyforwife.com
chavesdoareeiro.com
boompinoy.com
chrissieperry.com
nachhilfe-unterricht.com
labobit.it
darnallwellbeing.org.uk
symphonyenvironmental.com
instatron.net
thewellnessmimi.com
vitavia.lt
jobcenterkenya.com
lillegrandpalais.com
sportverein-tambach.de
proudground.org
adoptioperheet.fi
minipara.com
theclubms.com
nokesvilledentistry.com
testcoreprohealthuk.com
eco-southafrica.com
podsosnami.ru
people-biz.com
modelmaking.nl
lapmangfpt.info.vn
waynela.com
alysonhoward.com
schlafsack-test.net
logopaedie-blomberg.de
autofolierung-lu.de
midmohandyman.com
globedivers.wordpress.com
eraorastudio.com
bloggyboulga.net
jobmap.at
wari.com.pe
thenewrejuveme.com
stupbratt.no
stingraybeach.com
abogadosaccidentetraficosevilla.es
leather-factory.co.jp
connectedace.com
better.town
wellplast.se
torgbodenbollnas.se
pay4essays.net
tsklogistik.eu
igfap.com
expandet.dk
ohidesign.com
girlillamarketing.com
manifestinglab.com
binder-buerotechnik.at
xn--thucmctc-13a1357egba.com
actecfoundation.org
camsadviser.com
kikedeoliveira.com
sweering.fr
vorotauu.ru
slwgs.org
gonzalezfornes.es
castillobalduz.es
ledmes.ru
songunceliptv.com
executiveairllc.com
nvwoodwerks.com
micro-automation.de
ivivo.es
cactusthebrand.com
hkr-reise.de
importardechina.info
hypozentrum.com
drfoyle.com
ontrailsandboulevards.com
oceanastudios.com
mdk-mediadesign.de
yamalevents.com
bigasgrup.com
nicoleaeschbachorg.wordpress.com
mirkoreisser.de
mrsplans.net
harpershologram.wordpress.com
osterberg.fi
imaginado.de
embracinghiscall.com
imadarchid.com
thedad.com
partnertaxi.sk
figura.team
filmstreamingvfcomplet.be
xtptrack.com
merzi.info
fayrecreations.com
boulderwelt-muenchen-west.de
punchbaby.com
8449nohate.org
ianaswanson.com
mikeramirezcpa.com
imperfectstore.com
whyinterestingly.ru
analiticapublica.es
nakupunafoundation.org
sahalstore.com
rebeccarisher.com
fax-payday-loans.com
cuppacap.com
lmtprovisions.com
andersongilmour.co.uk
delchacay.com.ar
baylegacy.com
diversiapsicologia.es
ceres.org.au
phantastyk.com
stoneys.ch
calabasasdigest.com
tonelektro.nl
gporf.fr
brigitte-erler.com
spectrmash.ru
theletter.company
insidegarage.pl
elimchan.com
maasreusel.nl
oneplusresource.org
maureenbreezedancetheater.org
braffinjurylawfirm.com
airconditioning-waalwijk.nl
cleliaekiko.online
marathonerpaolo.com
irishmachineryauctions.com
pmc-services.de
stefanpasch.me
bierensgebakkramen.nl
365questions.org
anthonystreetrimming.com
walkingdeadnj.com
rerekatu.com
despedidascostablanca.es
dr-tremel-rednitzhembach.de
simoneblum.de
christinarebuffetcourses.com
havecamerawilltravel2017.wordpress.com
smartypractice.com
fibrofolliculoma.info
mardenherefordshire-pc.gov.uk
mbfagency.com
firstpaymentservices.com
stemenstilte.nl
liveottelut.com
opatrovanie-ako.sk
asgestion.com
mariposapropaneaz.com
bauertree.com
myhostcloud.com
art2gointerieurprojecten.nl
n1-headache.com
kamahouse.net
krlosdavid.com
deprobatehelp.com
lascuola.nl
jusibe.com
mooshine.com
milltimber.aberdeen.sch.uk
kirkepartner.dk
fensterbau-ziegler.de
upplandsspar.se
paulisdogshop.de
tanzschule-kieber.de
drnice.de
qualitus.com
visiativ-industry.fr
maineemploymentlawyerblog.com
vihannesporssi.fi
xn--singlebrsen-vergleich-nec.com
lusak.at
copystar.co.uk
streamerzradio1.site
tux-espacios.com
rafaut.com
calxplus.eu
thaysa.com
urclan.net
thee.network
maxadams.london
enovos.de
portoesdofarrobo.com
naturstein-hotte.de
ikads.org
iviaggisonciliegie.it
shsthepapercut.com
levdittliv.se
drugdevice.org
fotoideaymedia.es
mbxvii.com
suncrestcabinets.ca
mdacares.com
homng.net
jbbjw.com
faronics.com
blacksirius.de
freie-baugutachterpraxis.de
groupe-frayssinet.fr
hushavefritid.dk
heidelbergartstudio.gallery
gemeentehetkompas.nl
pinkexcel.com
oemands.dk
littlebird.salon
cuspdental.com
bxdf.info
easytrans.com.au
corelifenutrition.com
directwindowco.com
westdeptfordbuyrite.com
pasvenska.se
tarotdeseidel.com
blewback.com
wien-mitte.co.at
answerstest.ru
modestmanagement.com
completeweddingkansas.com
ccpbroadband.com
kojima-shihou.com
tophumanservicescourses.com
cranleighscoutgroup.org
healthyyworkout.com
femxarxa.cat
tigsltd.com
lachofikschiet.nl
miriamgrimm.de
abogadosadomicilio.es
evangelische-pfarrgemeinde-tuniberg.de
jandaonline.com
jsfg.com
mercantedifiori.com
physiofischer.de
tampaallen.com
tulsawaterheaterinstallation.com
officehymy.com
www1.proresult.no
tandartspraktijkhartjegroningen.nl
mirjamholleman.nl
simpkinsedwards.co.uk
wacochamber.com
dutchbrewingcoffee.com
sloverse.com
trulynolen.co.uk
citymax-cr.com
grupocarvalhoerodrigues.com.br
amylendscrestview.com
revezlimage.com
ouryoungminds.wordpress.com
talentwunder.com
lapinlviasennus.fi
neuschelectrical.co.za
blog.solutionsarchitect.guru
hrabritelefon.hr
markelbroch.com
softsproductkey.com
slashdb.com
theadventureedge.com
caribbeansunpoker.com
simplyblessedbykeepingitreal.com
friendsandbrgrs.com
zzyjtsgls.com
aarvorg.com
ostheimer.at
ftlc.es
troegs.com
highlinesouthasc.com
restaurantesszimmer.de
xn--fnsterputssollentuna-39b.se
aminaboutique247.com
buymedical.biz
saxtec.com
smithmediastrategies.com
skiltogprint.no
igrealestate.com
smalltownideamill.wordpress.com
faizanullah.com
the-domain-trader.com
thomasvicino.com
pointos.com
finediningweek.pl
verifort-capital.de
commonground-stories.com
zweerscreatives.nl
i-arslan.de
tongdaifpthaiphong.net
polymedia.dk
withahmed.com
mymoneyforex.com
schraven.de
frontierweldingllc.com
precisionbevel.com
praxis-foerderdiagnostik.de
htchorst.nl
shiftinspiration.com
rumahminangberdaya.com
webcodingstudio.com
croftprecision.co.uk
unim.su
bordercollie-nim.nl
dushka.ua
shiresresidential.com
seproc.hn
hexcreatives.co
stallbyggen.se
crowcanyon.com
dsl-ip.de
ilive.lt
leeuwardenstudentcity.nl
panelsandwichmadrid.es
prochain-voyage.net
zflas.com
hotelzentral.at
allure-cosmetics.at
marietteaernoudts.nl
hairnetty.wordpress.com
sexandfessenjoon.wordpress.com
cafemattmeera.com
villa-marrakesch.de
kamienny-dywan24.pl
radaradvies.nl
antonmack.de
myteamgenius.com
acomprarseguidores.com
turkcaparbariatrics.com
ctrler.cn
pomodori-pizzeria.de
vermoote.de
ventti.com.ar
sinal.org
dirittosanitario.biz
div-vertriebsforschung.de
aakritpatel.com
brevitempore.net
charlottepoudroux-photographie.fr
xn--vrftet-pua.biz
oldschoolfun.net
christ-michael.net
hotelsolbh.com.br
aurum-juweliere.de
slupetzky.at
twohourswithlena.wordpress.com
hokagestore.com
hvccfloorcare.com
nhadatcanho247.com
muamuadolls.com
zieglerbrothers.de
waermetauscher-berechnen.de
pickanose.com
itelagen.com
surespark.org.uk
zimmerei-fl.de
themadbotter.com
mrsfieldskc.com
gmto.fr
real-estate-experts.com
lynsayshepherd.co.uk
nosuchthingasgovernment.com
biortaggivaldelsa.com
xn--fn-kka.no
team-montage.dk
abitur-undwieweiter.de
carriagehousesalonvt.com
ziegler-praezisionsteile.de
olejack.ru
mountaintoptinyhomes.com
goodgirlrecovery.com
live-your-life.jp
maryloutaylor.com
sojamindbody.com
homecomingstudio.com
rushhourappliances.com
yourobgyn.net
dlc.berlin
hihaho.com
delawarecorporatelaw.com
work2live.de
entopic.com
iqbalscientific.com
socialonemedia.com
spacecitysisters.org
noesis.tech
quemargrasa.net
argenblogs.com.ar
classycurtainsltd.co.uk
cortec-neuro.com
mir-na-iznanku.com
praxis-management-plus.de
mediaclan.info
ncuccr.org
microcirc.net
funjose.org.gt
crosspointefellowship.church
navyfederalautooverseas.com
35-40konkatsu.net
personalenhancementcenter.com
hhcourier.com
mezhdu-delom.ru
kaliber.co.jp
nacktfalter.de
extensionmaison.info
edelman.jp
agence-referencement-naturel-geneve.net
huissier-creteil.com
vitalyscenter.es
pixelarttees.com
notmissingout.com
familypark40.com
brandl-blumen.de
dr-pipi.de
supportsumba.nl
krcove-zily.eu
global-kids.info
norovirus-ratgeber.de
todocaracoles.com
unetica.fr
glennroberts.co.nz
morawe-krueger.de
dontpassthepepper.com
jameskibbie.com
c2e-poitiers.com
mylolis.com
bradynursery.com
corola.es
madinblack.com
bhwlawfirm.com
vietlawconsultancy.com
waywithwords.net
stemplusacademy.com
wasmachtmeinfonds.at
nataschawessels.com
henricekupper.com
urmasiimariiuniri.ro
artallnightdc.com
beaconhealthsystem.org
boldcitydowntown.com
d2marketing.co.uk
danubecloud.com
iwr.nl
autopfand24.de
botanicinnovations.com
campusoutreach.org
ilso.net
offroadbeasts.com
noixdecocom.fr
lloydconstruction.com
gantungankunciakrilikbandung.com
naturavetal.hr
newstap.com.ng
marketingsulweb.com
financescorecard.com
kadesignandbuild.co.uk
idemblogs.com
readberserk.com
loprus.pl
edrcreditservices.nl
smogathon.com
mediaacademy-iraq.org
solhaug.tk
psc.de
lykkeliv.net
plantag.de
waveneyrivercentre.co.uk
digivod.de
triactis.com
id-et-d.fr
roadwarrior.app
hebkft.hu
sauschneider.info
ruralarcoiris.com
4net.guru
paymybill.guru
kuntokeskusrok.fi
bunburyfreightservices.com.au
aselbermachen.com
ausair.com.au
pferdebiester.de
craftleathermnl.com
bundabergeyeclinic.com.au
seitzdruck.com
tradiematepro.com.au
luxurytv.jp
eaglemeetstiger.de
petnest.ir
winrace.no
mapawood.com
latestmodsapks.com
kojinsaisei.info
aco-media.nl
baustb.de
asiluxury.com
compliancesolutionsstrategies.com
extraordinaryoutdoors.com
handi-jack-llc.com
vdberg-autoimport.nl
strandcampingdoonbeg.com
urist-bogatyr.ru
baptisttabernacle.com
vox-surveys.com
lenreactiv-shop.ru
victoriousfestival.co.uk
allentownpapershow.com
katiekerr.co.uk
d1franchise.com
woodleyacademy.org
cursosgratuitosnainternet.com
alsace-first.com
ecoledansemulhouse.fr
testzandbakmetmening.online
gamesboard.info
ora-it.de
siluet-decor.ru
schutting-info.nl
bridgeloanslenders.com
the-virtualizer.com
asteriag.com
parebrise-tla.fr
videomarketing.pro
love30-chanko.com
caribdoctor.org
smhydro.com.pl
ai-spt.jp
shhealthlaw.com
ditog.fr
uimaan.fi
helikoptervluchtnewyork.nl
deoudedorpskernnoordwijk.nl
pogypneu.sk
comarenterprises.com
arteservicefabbro.com
intecwi.com
mytechnoway.com
spargel-kochen.de
kampotpepper.gives
flexicloud.hk
spinheal.ru
wmiadmin.com
berlin-bamboo-bikes.org
projetlyonturin.fr
lubetkinmediacompanies.com
greenko.pl
transportesycementoshidalgo.es
nancy-informatique.fr
bristolaeroclub.co.uk
kmbshipping.co.uk
boisehosting.net
xn--logopdie-leverkusen-kwb.de
vyhino-zhulebino-24.ru
fransespiegels.nl
theshungiteexperience.com.au
resortmtn.com
dutchcoder.nl
caffeinternet.it
jasonbaileystudio.com
ihr-news.jp
milestoneshows.com
nestor-swiss.ch
malychanieruchomoscipremium.com
mmgdouai.fr
toponlinecasinosuk.co.uk
summitmarketingstrategies.com
foretprivee.ca
thefixhut.com
perbudget.com
innote.fi
anybookreader.de
bafuncs.org
edgewoodestates.org
whittier5k.com
sarbatkhalsafoundation.org
denifl-consulting.at
first-2-aid-u.com
profectis.de
sportiomsportfondsen.nl
ncs-graphic-studio.com
amerikansktgodis.se
rimborsobancario.net
interactcenter.org
baumkuchenexpo.jp
webmaster-peloton.com
falcou.fr
shonacox.com
rosavalamedahr.com
zenderthelender.com
veybachcenter.de
body-armour.online
web.ion.ag
sobreholanda.com
evologic-technologies.com
kosterra.com
argos.wityu.fund
you-bysia.com.au
scenepublique.net
travelffeine.com
faroairporttransfers.net
notsilentmd.org
bowengroup.com.au
limassoldriving.com
judithjansen.com
ki-lowroermond.nl
abogados-en-alicante.es
longislandelderlaw.com
ceid.info.tr
hoteledenpadova.it
hannah-fink.de
securityfmm.com
dinslips.se
chefdays.de
memaag.com
geekwork.pl
otto-bollmann.de
all-turtles.com
devstyle.org
ussmontanacommittee.us
evergreen-fishing.com
y-archive.com
leoben.at
spsshomeworkhelp.com
pier40forall.org
kath-kirche-gera.de
milsing.hr
dezatec.es
greenpark.ch
teresianmedia.org
shadebarandgrillorlando.com
synlab.lt
rocketccw.com
platformier.com
mylovelybluesky.com
refluxreducer.com
abl1.net
yassir.pro
devlaur.com
bouldercafe-wuppertal.de
vibethink.net
carrybrands.nl
liikelataamo.fi
jvanvlietdichter.nl
2ekeus.nl
hatech.io
artotelamsterdam.com
appsformacpc.com
jyzdesign.com
corendonhotels.com
spylista.com
cityorchardhtx.com
esope-formation.fr
simpliza.com
worldhealthbasicinfo.com
desert-trails.com
mastertechengineering.com
presseclub-magdeburg.de
forestlakeuca.org.au
parkstreetauto.net
dubnew.com
hardinggroup.com
syndikat-asphaltfieber.de
stoeberstuuv.de
houseofplus.com
lichencafe.com
birnam-wood.com
layrshift.eu
micahkoleoso.de
celeclub.org
4youbeautysalon.com
onlyresultsmarketing.com
garage-lecompte-rouen.fr
alfa-stroy72.com
maratonaclubedeportugal.com
backstreetpub.com
bptdmaluku.com
grelot-home.com
allfortheloveofyou.com
humanityplus.org
educar.org
geisterradler.de
pridoxmaterieel.nl
promalaga.es
clos-galant.com
danholzmann.com
atozdistribution.co.uk
ilcdover.com
latribuessentielle.com
slimidealherbal.com
harveybp.com
upmrkt.co
haremnick.com
walter-lemm.de
centuryrs.com
321play.com.hk
bingonearme.org
gratispresent.se
gopackapp.com
dareckleyministries.com
yousay.site
pt-arnold.de
coffreo.biz
joseconstela.com
sla-paris.com
pawsuppetlovers.com
huesges-gruppe.de
lukeshepley.wordpress.com
patrickfoundation.net
tenacitytenfold.com
seagatesthreecharters.com
digi-talents.com
pcp-nc.com
solinegraphic.com
pelorus.group
tennisclubetten.nl
creamery201.com
haar-spange.com
thailandholic.com
tstaffing.nl
dubscollective.com
dramagickcom.wordpress.com
saarland-thermen-resort.com
dr-seleznev.com
naswrrg.org
fizzl.ru
ftf.or.at
siliconbeach-realestate.com
bouncingbonanza.com
senson.fi
otsu-bon.com
izzi360.com
vetapharma.fr
americafirstcommittee.org
mountsoul.de
tetinfo.in
happyeasterimages.org
jacquin-maquettes.com
seminoc.com
werkkring.nl
apprendrelaudit.com
atalent.fi
galleryartfair.com
bargningavesta.se
leda-ukraine.com.ua
dnepr-beskid.com.ua
levihotelspa.fi
mrxermon.de
vesinhnha.com.vn
pierrehale.com
coding-machine.com
webhostingsrbija.rs
gw2guilds.org
anteniti.com
tomaso.gr
autodemontagenijmegen.nl
foryourhealth.live
polzine.net
cerebralforce.net
bee4win.com
irinaverwer.com
aprepol.com
ulyssemarketing.com
centromarysalud.com
penco.ie
higadograsoweb.com
coastalbridgeadvisors.com
gasbarre.com
narcert.com
triggi.de
consultaractadenacimiento.com
joyeriaorindia.com
boosthybrid.com.au
kevinjodea.com
freie-gewerkschaften.de
sandd.nl
babcockchurch.org
stoeferlehalle.de
blogdecachorros.com
steampluscarpetandfloors.com
architekturbuero-wagner.net
creative-waves.co.uk
sachnendoc.com
kedak.de
onlybacklink.com
wraithco.com
fannmedias.com
musictreehouse.net
em-gmbh.ch
pocket-opera.de
hugoversichert.de
verytycs.com
wychowanieprzedszkolne.pl
centrospgolega.com
qualitaetstag.de
macabaneaupaysflechois.com
stacyloeb.com
id-vet.com
bockamp.com
courteney-cox.net
icpcnj.org
schoellhammer.com
herbstfeststaefa.ch
cimanchesterescorts.co.uk
makeurvoiceheard.com
fitovitaforum.com
bigbaguettes.eu
ogdenvision.com
mooreslawngarden.com
123vrachi.ru
marcuswhitten.site
servicegsm.net
heliomotion.com
paradicepacks.com
tinyagency.com
greenfieldoptimaldentalcare.com
tanzprojekt.com
bargningharnosand.se
marchand-sloboda.com
hmsdanmark.dk
tips.technology
controldekk.com
sotsioloogia.ee
carlosja.com
plotlinecreative.com
satyayoga.de
darrenkeslerministries.com
deltacleta.cat
ahouseforlease.com
cheminpsy.fr
kafu.ch
ligiercenter-sachsen.de
agence-chocolat-noir.com
broseller.com
employeesurveys.com
elpa.se
destinationclients.fr
candyhouseusa.com
sairaku.net
geoffreymeuli.com
manutouchmassage.com
meusharklinithome.wordpress.com
facettenreich27.de
theduke.de
smessier.com
blgr.be
sw1m.ru
sportsmassoren.com
qlog.de
-
net
true
-
pid
$2a$12$sr6NKOt2ZvX04hjSD0n/KOtg0WxsKt.tVJ6CFQibmYWNlVrpbBc9i
-
prc
steam
firefox
thebat
outlook
dbsnmp
ocssd
mydesktopservice
agntsvc
encsvc
visio
ocautoupds
sqbcoreservice
ocomm
excel
mspub
synctime
isqlplussvc
msaccess
infopath
oracle
wordpad
thunderbird
dbeng50
tbirdconfig
powerpnt
sql
xfssvccon
onenote
mydesktopqos
winword
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] We have uploaded your data, and if you ignore us, we will publish it in the media [+] [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
8013
-
svc
svc$
veeam
memtas
mepocs
sophos
backup
sql
vss
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies Windows Firewall 1 TTPs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exedescription ioc process File opened (read-only) \??\O: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\S: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\W: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\B: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\H: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\I: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\L: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\P: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\R: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\U: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\V: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\A: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\E: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\K: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\T: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\X: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\G: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\J: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\N: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\Q: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\Y: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\Z: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\D: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\F: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened (read-only) \??\M: 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4066h.bmp" 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe -
Drops file in Program Files directory 35 IoCs
Processes:
98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exedescription ioc process File created \??\c:\program files (x86)\tmp 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\DisableHide.aiff 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\EnterResize.htm 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\ExportClear.potm 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\InitializeCompress.jpe 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\OutEdit.vdx 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\RegisterJoin.jpg 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\RestoreGrant.cr2 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\ConvertFromMerge.wdp 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\GetResolve.svg 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\ShowSearch.potx 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\UnlockGet.wmv 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\LockFormat.dotm 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\LockUnpublish.vstx 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\MountImport.pub 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\RestoreMove.vdx 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\RevokeSync.shtml 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\ExpandPush.ex_ 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\NewDisable.rle 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\OpenUpdate.ex_ 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\RenameConvertTo.htm 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\WatchPing.dwfx 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File created \??\c:\program files (x86)\6jgk7-readme.txt 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\ConvertToWait.m3u 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\CompressMeasure.eprtx 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\UndoUnregister.jpg 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\UnprotectSplit.png 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\UseInitialize.3gp2 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File created \??\c:\program files\6jgk7-readme.txt 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\CheckpointAdd.ps1xml 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\GetHide.jpg 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\ResumeShow.wm 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File created \??\c:\program files\tmp 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\BlockFormat.dib 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe File opened for modification \??\c:\program files\CompressStop.vsd 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exepid process 3908 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe 3908 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe 3908 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe 3908 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe 3908 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe 3908 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe 3908 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe 3908 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe 3908 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe 3908 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exevssvc.exedescription pid process Token: SeDebugPrivilege 3908 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe Token: SeTakeOwnershipPrivilege 3908 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe Token: SeBackupPrivilege 1200 vssvc.exe Token: SeRestorePrivilege 1200 vssvc.exe Token: SeAuditPrivilege 1200 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exedescription pid process target process PID 3908 wrote to memory of 3824 3908 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe netsh.exe PID 3908 wrote to memory of 3824 3908 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe netsh.exe PID 3908 wrote to memory of 3824 3908 98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe"C:\Users\Admin\AppData\Local\Temp\98b4d614c3059e606dd802ef64f6cc86e1bf1efc4e3ee24c4543315757339d3c.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:3824
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3940
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200