Analysis
-
max time kernel
155s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 06:23
Static task
static1
Behavioral task
behavioral1
Sample
법원 서류.doc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
법원 서류.doc.exe
Resource
win10v2004-20220414-en
General
-
Target
법원 서류.doc.exe
-
Size
321KB
-
MD5
132d026e561abfd1615f1216557657ae
-
SHA1
f82913ac957d3bac2b88fe728fc762b9de30563b
-
SHA256
d23eee8f73a7c40855886245fcd302907b47f1280c19b1803bc9d247272f31da
-
SHA512
6738cedab0d1731c29776f52dae7a53e630ca572822a0361099e3cfde8f3561ef604e5f33f272924f48df8eaeb3fe41b8c1235e8d20b2807712bd8d4316c2d1d
Malware Config
Extracted
sodinokibi
30
97
mundo-pieces-auto.fr
mind2muscle.nl
atrgroup.it
eksperdanismanlik.com
lidkopingsnytt.nu
bd2fly.com
teamsegeln.ch
leopoldineroux.com
gardenpartner.pl
theintellect.edu.pk
malevannye.ru
bychowo.pl
eatyoveges.com
aheadloftladders.co.uk
bjornvanvulpen.nl
global-migrate.com
jefersonalessandro.com
adterium.com
chainofhopeeurope.eu
biodentify.ai
nicksrock.com
yourhappyevents.fr
forskolinslimeffect.net
heuvelland-oaze.nl
krishnabrawijaya.com
klapanvent.ru
lunoluno.com
hostingbangladesh.net
hensleymarketing.com
weddingceremonieswithtim.com
carolynfriedlander.com
bendel-partner.de
baikalflot.ru
edrickennedymacfoy.com
alabamaroofingllc.com
n-newmedia.de
vapiano.fr
test-teleachat.fr
memphishealthandwellness.com
rino-gmbh.com
orchardbrickwork.com
zorgboerderijravensbosch.nl
etgdogz.de
racefietsenblog.nl
a-zpaperwork.eu
ox-home.com
cymru.futbol
bcabattoirs.org
janellrardon.com
schroederschoembs.com
log-barn.co.uk
trevi-vl.ru
pansionatblago.ru
quitescorting.com
arthakapitalforvaltning.dk
utilisacteur.fr
rentsportsequip.com
brannbornfastigheter.se
saint-malo-developpement.fr
oscommunity.de
autoteamlast.de
grupoexin10.com
banksrl.co.za
triavlete.com
towelroot.co
ruggestar.ch
oexebusiness.com
bagaholics.in
aciscomputers.com
mariannelemenestrel.com
agencewho-aixenprovence.fr
angeleyezstripclub.com
ykobbqchicken.ca
advesa.com
ingresosextras.online
crestgood.com
gavelmasters.com
p-ride.live
martha-frets-ceramics.nl
bodymindchallenger.com
c-sprop.com
matteoruzzaofficial.com
netadultere.fr
koncept-m.ru
promus.ca
internalresults.com
nbva.co.uk
arabianmice.com
rubyaudiology.com
tellthebell.website
webforsites.com
cleanroomequipment.ie
oro.ae
the-beauty-guides.com
linkbuilding.life
shortsalemap.com
shortysspices.com
aoyama.ac
adabible.org
atelierkomon.com
gratiocafeblog.wordpress.com
napisat-pismo-gubernatoru.ru:443
alisodentalcare.com
tilldeeke.de
protoplay.ca
gbk-tp1.de
subquercy.fr
gosouldeep.com
fbmagazine.ru
atma.nl
thesilkroadny.com
suitesartemis.gr
thepixelfairy.com
grancanariaregional.com
apogeeconseils.fr
cookinn.nl
m2graph.fr
qwikcoach.com
putzen-reinigen.com
selected-minds.de
skyboundnutrition.co.uk
manzel.tn
pubcon.com
blucamp.com
piestar.com
penumbuhrambutkeiskei.com
grafikstudio-visuell.de
insane.agency
carsten.sparen-it.de
tbalp.co.uk
factoriareloj.com
mrmac.com
skidpiping.de
smartspeak.com
itheroes.dk
humanviruses.org
fixx-repair.com
landgoedspica.nl
logosindustries.com
universelle.fr
pureelements.nl
barbaramcfadyenjewelry.com
dantreranch.com
sellthewrightway.com
prometeyagro.com.ua
baumfinancialservices.com
motocrosshideout.com
jimprattmediations.com
goodherbalhealth.com
alnectus.com
afbudsrejserallinclusive.dk
internestdigital.com
rizplakatjaya.com
amco.net.au
palmecophilippines.com
dinecorp.com
silverbird.dk
precisetemp.com
galatee-couture.com
tchernia-conseil.fr
comoserescritor.com
drbrianhweeks.com
alltagsrassismus-entknoten.de
zealcon.ae
belinda.af
expohomes.com
the-cupboard.co.uk
billscars.net
affligemsehondenschool.be
trainiumacademy.com
hospitalitytrainingsolutions.co.uk
radishallgood.com
richardiv.com
randyabrown.com
skooppi.fi
dayenne-styling.nl
fann.ru
thehovecounsellingpractice.co.uk
stitch-n-bitch.com
bratek-immobilien.de
soundseeing.net
johnsonweekly.com
fanuli.com.au
livelai.com
kookooo.com
toranjtuition.org
miscbo.it
sarahspics.co.uk
lassocrm.com
deziplan.ru
pixelhealth.net
corporacionrr.com
hom-frisor.dk
thegrinningmanmusical.com
unboxtherapy.site
innovationgames-brabant.nl
chatterchatterchatter.com
o2o-academy.com
molinum.pt
mercadodelrio.com
min-virksomhed.dk
altitudeboise.com
zdrowieszczecin.pl
hinotruckwreckers.com.au
ikzoekgod.be
newonestop.com
hostaletdelsindians.es
ciga-france.fr
uncensoredhentaigif.com
alexwenzel.de
floweringsun.org
endlessrealms.net
luvinsburger.fr
kroophold-sjaelland.dk
alaskaremote.com
legundschiess.de
glennverschueren.be
geitoniatonaggelon.gr
alharsunindo.com
goddardleadership.org
relevantonline.eu
ultimatelifesource.com
traitware.com
bertbutter.nl
werkzeugtrolley.net
focuskontur.com
ahgarage.com
block-optic.com
ocduiblog.com
metriplica.academy
oththukaruva.com
denverwynkoopdentist.com
descargandoprogramas.com
delegationhub.com
encounter-p.net
topvijesti.net
palmenhaus-erfurt.de
phoenixcrane.com
elliemaccreative.wordpress.com
skoczynski.eu
rozmata.com
boyfriendsgoal.site
nevadaruralhousingstudies.org
ilovefullcircle.com
acb-gruppe.ch
gazelle-du-web.com
hekecrm.com
jglconsultancy.com
peppergreenfarmcatering.com.au
pinthelook.com
onlinetvgroup.com
curtsdiscountguns.com
production-stills.co.uk
sochi-okna23.ru
shrinkingplanet.com
endstarvation.com
ebible.co
liveyourheartout.co
ygallerysalonsoho.com:443
scietech.academy
nieuwsindeklas.be
cap29010.it
anleggsregisteret.no
almamidwifery.com
yayasanprimaunggul.org
magnetvisual.com
bringmehope.org
supercarhire.co.uk
globalcompliancenews.com
ivancacu.com
vdolg24.online
the5thquestion.com
cuadc.org
azerbaycanas.com
istantidigitali.com
saberconcrete.com
90nguyentuan.com
goeppinger-teppichreinigung.de
ncn.nl
iactechnologies.net
schulz-moelln.de
wrinstitute.org
wordpress.idium.no
agendatwentytwenty.com
imajyuku-sozoku.com
eastgrinsteadwingchun.com
bourchier.org
forextimes.ru
richardmaybury.co.uk
bridalcave.com
ziliak.com
bayshoreelite.com
pourlabretagne.bzh
liverpoolabudhabi.ae
awag-blog.de
artvark.nl
innersurrection.com
rvside.com
hvitfeldt.dk
springfieldplumbermo.com
myplaywin3.com
welovecustomers.fr
kemtron.fr
morgansconsult.com
jobscore.com
amorbellezaysalud.com
altocontatto.net
pro-gamer.pl
jacquesgarcianoto.com
smarttourism.academy
explora.nl
chatberlin.de
topautoinsurers.net
foerderverein-vatterschule.de
kdbrh.com
keyboardjournal.com
cyberpromote.de
speiserei-hannover.de
zaczytana.com
biketruck.de
thiagoperez.com
alpesiberie.com
saboboxtel.uk
natturestaurante.com.br
agriturismocastagneto.it
skyscanner.ro
stralsund-ansichten.de
brighthillgroup.com
awaitspain.com
animalfood-online.de
xn--billigafrgpatroner-stb.se
mesajjongeren.nl
invela.dk
jandhpest.com
kombi-dress.com
fazagostar.co
hypogenforensic.com
jax-interim-and-projectmanagement.com
wineandgo.hu
whoopingcrane.com
switch-made.com
fascaonline.com
bluelakevision.com
look.academy
rattanwarehouse.co.uk
elitkeramika-shop.com.ua
wg-heiligenstadt.de
silkeight.com
kelsigordon.com
stressreliefadvice.com
cmascd.com
from02pro.com
blueridgeheritage.com
pisofare.co
guohedd.com
lookandseen.com
tramadolhealth.com
otpusk.zp.ua
blavait.fr
handyman-silkeborg.dk
reputation-medical.online
kenmccallum.com
akcadagofis.com
nepressurecleaning.com
greatofficespaces.net
makingmillionaires.net
eafx.pro
naukaip.ru
enactusnhlstenden.com
lumturo.academy
proffteplo.com
smartercashsystem.com
thisprettyhair.com
diverfiestas.com.es
stoneridgemontessori.com
cac2040.com
dentourage.com
christopherhannan.com
avtoboss163.ru:443
sveneulberg.de
daveystownhouse.com
mike.matthies.de
monstarrsoccer.com
opt4cdi.com
epsondriversforwindows.com
5thactors.com
nykfdyrehospital.dk
cormanmarketing.com
digitale-elite.de
parisschool.ru
nationnewsroom.com
bodet150ans.com
perfectgrin.com
mindfuelers.com
gurutechnologies.net
dr-vita.de
bonitabeachassociation.com
stathmoulis.gr
bg.szczecin.pl
oncarrot.com
leloupblanc.gr
bookingwheel.com
parksideseniorliving.net
riffenmattgarage.ch
liepertgrafikweb.at
galaniuklaw.com
nuohous.com
ced-elec.com
turing.academy
cc-experts.de
ntinasfiloxenia.gr
secrets-clubs.co.uk
rapid5kloan.org
designimage.ae
aslog.fr
ketomealprep.academy
globalskills.pt
lifeinbreaths.com
mediahub.co.nz
ledyoucan.com
electricianul.com
schluesseldienste-hannover.de
1deals.com
voetbalhoogeveen.nl
fsbforsale.com
testitjavertailut.net
allinonecampaign.com
narca.net
xn--80abehgab4ak0ddz.xn--p1ai
dcc-eu.com
dibli.store
brunoimmobilier.com
3daywebs.com
lesyeuxbleus.net
bellesiniacademy.org
mazift.dk
nginx.com
animation-pro.co.uk
katherinealy.com
bescomedical.de
sealgrinderpt.com
onlinemarketingsurgery.co.uk
worldproskitour.com
jayfurnitureco.com
signamedia.de
kryptos72.com
artcase.pl
mursall.de
xn--80addfr4ahr.dp.ua
cesep2019.com
redctei.co
der-stempelking.de
b3b.ch
rtc24.com
heimdalbygg.no
nexstagefinancial.com
osn.ro
luvbec.com
mediogiro.com.ar
the3-week-diet.net
richardkershawwines.co.za
martinipstudios.com
kosten-vochtbestrijding.be
citiscapes-art.com
astrographic.com
loparnille.se
hotelturbo.de
charlottelhanna.com
techybash.com
andermattswisswatches.ch
four-ways.com
nourella.com
valiant-voice.com
vitormmcosta.com
thenalpa.com
nxtstg.org
furland.ru
haard-totaal.nl
slotspinner.com
johnstonmingmanning.com
modamarfil.com
docarefoundation.org
mrcar.nl
csaballoons.com
neonodi.be
jlgraphisme.fr
inewsstar.com
alene.co
go.labibini.ch
hartofurniture.com
wyreforest.net
projektparkiet.pl
kiraribeaute-nani.com
catalyseurdetransformation.com
kryddersnapsen.dk
tecleados.com
laylavalentine.com
specialtyhomeservicesllc.com
aidanpublishing.co.uk
theater-lueneburg.de
triplettagaite.fr
business-basic.de
pajagus.fr
bcmets.info
renehartman.nl
k-zubki.ru
agora-collectivites.com
walterman.es
janmorgenstern.com
leatherjees.com
bubbalucious.com
veggienessa.com
mgimalta.com
finsahome.co.uk
latteswithleslie.com
lollachiro.com
slideevents.be
drvoip.com
deduktia.fi
centuryvisionglobal.com
tanatek.com
bumbipdeco.site
singletonfinancial.com
gta-jjb.fr
xrresources.com
jdscenter.com
catering.com
stanleyqualitysystems.com
frimec-international.es
paradigmlandscape.com
fluzfluzrewards.com
broccolisoep.nl
kellengatton.com
lapponiasafaris.com
parentsandkids.com
profibersan.com
glende-pflanzenparadies.de
greenrider.nl
muller.nl
eventosvirtualesexitosos.com
vipcarrental.ae
nauticmarine.dk
11.in.ua
nepal-pictures.com
sbit.ag
dentallabor-luenen.de
zinnystar.com
colored-shelves.com
powershell.su
augen-praxisklinik-rostock.de
simpleitsolutions.ch
cainlaw-okc.com
prodentalblue.com
k-v-f.de
bakingismyyoga.com
successcolony.com.ng
limmortelyouth.com
letsstopsmoking.co.uk
cmeow.com
hiddensee-buhne11.de
babysitting-hk.helpergo.co
amelielecompte.wordpress.com
birthplacemag.com
stage-infirmier.fr
domilivefurniture.com
yournextshoes.com
nrgvalue.com
pharmeko-group.com
eos-horlogerie.com
edvestors.org
volta.plus
pazarspor.org.tr
mensemetgesigte.co.za
sshomme.com
metcalfe.ca
mrkluttz.com
maryairbnb.wordpress.com
dmlcpa.com
pilotgreen.com
kuriero.pro
physio-lang.de
jaaphoekzema.nl
auto-opel.ro
auberives-sur-vareze.fr
graygreenbiomedservices.com
sololibrerie.it
husetsanitas.dk
mac-computer-support-hamburg.de
cssp-mediation.org
chris-anne.com
factorywizuk.com
tesisatonarim.com
harleystreetspineclinic.com
agenceassemble.fr
stringnosis.academy
ronaldhendriks.nl
rsidesigns.com
groovedealers.ru
sppdstats.com
neolaiamedispa.com
beauty-traveller.com
nalliasmali.net
sunsolutions.es
clinic-beethovenstrasse-ag.ch
zuerich-umzug.ch
campusce.com
khtrx.com
antesacademy.it
benchbiz.com
concontactodirecto.com
mondolandscapes.com
rolleepollee.com
jameswilliamspainting.com
moira-cristescu.com
cl0nazepamblog.com
burg-zelem.de
carmel-york.com
dierenambulancealkmaar.nl
easydental.ae
oportowebdesign.com
tutvracks.com
customroasts.com
campusescalade.com
advancedeyecare.com
espaciopolitica.com
ravage-webzine.nl
dnqa.co.uk
subyard.com
ijsselbeton.nl
wasnederland.nl
ronielyn.com
citydogslife.com
banukumbak.com
bavovrienden.nl
die-immo-agentur.de
cardsandloyalty.com
agrifarm.dk
trivselsguide.dk
muni.pe
patassociation.com
rokthetalk.com
acumenconsultingcompany.com
tweedekansenloket.nl
airserviceunlimited.com
lexced.com
baita.ac
angelika-schwarz.com
victorvictoria.com
alwaysdc.com
masecologicos.com
midwestschool.org
lovetzuchia.com
ddmgen.com
larchwoodmarketing.com
rhino-storage.co.uk
redpebblephotography.com
duthler.nl
triplettabordeaux.fr
apmollerpension.com
mustangmarketinggroup.com
sycamoregreenapts.com
molade.nl
datatri.be
arearugcleaningnyc.com
andrealuchesi.it
linearete.com
therapybusinessacademy.com
fotoeditores.com
eshop.design
mayprogulka.ru
pays-saint-flour.fr
line-x.co.uk
coachpreneuracademy.com
fskhjalmar.se
buonabitare.com
keuken-prijs.nl
primemarineengineering.com
livedeveloper.com
satoblog.org
lashandbrowenvy.com
gsconcretecoatings.com
rs-danmark.dk
ludoil.it
annenymus.com
lsngroupe.com
buffdaddyblog.com
askstaffing.com
latableacrepes-meaux.fr
bulyginnikitav.000webhostapp.com
margaretmcshane.com
cincinnatiphotocompany.org
aceroprime.com
matthieupetel.fr
solutionshosting.co.uk
pinkxgayvideoawards.com
boomerslivinglively.com
hepishopping.com
tetameble.pl
operativadigital.com
ninjaki.com
rhino-turf.com
juergenblaetz.de
mollymccarthydesign.com
soncini.ch
rishigangoly.com
mjk.digital
levelseven.be
qrs-international.com
michaelfiegel.com
bruut.online
awaisghauri.com
tieronechic.com
bohrlochversicherung.info
rarefoods.ro
spirello.nl
eyedoctordallas.com
myfbateam.com
azloans.com
hnkns.com
so-sage.fr
vvego.com
web865.com
mangimirossana.it
karmeliterviertel.com
craftron.com
vedsegaard.dk
collegetennis.info
achetrabalhos.com
acibademmobil.com.tr
activeterroristwarningcompany.com
raeoflightmusic.com
hostastay.com
solidhosting.nl
photonag.com
scholarquotes.com
futurenetworking.com
fidelitytitleoregon.com
julielusktherapy.com
polynine.com
betterce.com
acornishstudio.co.uk
nvisionsigns.com
ideamode.com
aquacheck.co.za
karelinjames.com
mahikuchen.com
ownidentity.com
leansupremegarcinia.net
qandmmusiccenter.com
cascinarosa33.it
tastevirginia.com
yvesdoin-aquarelles.fr
jollity.hu
circlecitydj.com
ayudaespiritualtamara.com
purepreprod4.com
palema.gr
akwaba-safaris.com
funworx.de
publicompserver.de
frankgoll.com
sber-biznes.com
mazzaropi.com.br
sytzedevries.com
christianscholz.de
sambaglow.com
goodboyscustom.com
wademurray.com
interlinkone.com
rentingwell.com
thestudio.academy
speakaudible.com
markseymourphotography.co.uk
druktemakersheerenveen.nl
johnkoen.com
advance-refle.com
hameghlim.com
rename.kz
craftstone.co.nz
annida.it
schlagbohrmaschinetests.com
salonlamar.nl
metroton.ru
yuanshenghotel.com
witraz.pl
mbuildinghomes.com
teethinadaydentalimplants.com
iron-mine.ru
alattekniksipil.com
queertube.net
devus.de
andreaskildegaard.dk
reizenmetkinderen.be
pvandambv.nl
pedmanson.com
iexpert99.com
louiedager.com
rechtenplicht.be
jmmartinezilustrador.com
leijstrom.com
mikegoodfellow.co.uk
buerocenter-butzbach-werbemittel.de
fitnessblenderstory.com
kickittickets.com
mneti.ru
elex.is
skolaprome.eu
billigeflybilletter.dk
stabilisateur.fr
terraflair.de
kompresory-opravy.com
sprintcoach.com
startuplive.org
marcandy.com
bluemarinefoundation.com
metallbau-hartmann.eu
kausette.com
basindentistry.com
cp-bap.de
biblica.com
mariamalmahdi.com
smartworkplaza.com
fla.se
brinkdoepke.eu
kamin-somnium.de
apiarista.de
transifer.fr
evsynthacademy.org
wirmuessenreden.com
placermonticello.com
envomask.com
holocine.de
axisoflove.org:443
jobkiwi.com.ng
baptistdistinctives.org
reygroup.pt
condormobile.fr
rossomattonecase.it
tages-geldvergleich.de
justaroundthecornerpetsit.com
adaduga.info
paprikapod.com
frameshift.it
bmw-i-pure-impulse.com
lovcase.com
directique.com
magrinya.net
hawaiisteelbuilding.com
belofloripa.be
circuit-diagramz.com
craftingalegacy.com
lattalvor.com
smartmind.net
cops4causes.org
aktivfriskcenter.se
fridakids.com
lisa-poncon.fr
lgiwines.com
fysiotherapierijnmond.nl
plbinsurance.com
studionumerik.fr
kristianboennelykke.dk
haus-landliebe.de
marmarabasin.com
advanced-removals.co.uk
teutoradio.de
epicjapanart.com
mslp.org
initconf.com
enews-qca.com
stagefxinc.com
gatlinburgcottage.com
drbenveniste.com
glas-kuck.de
chinowarehousespace.com
ncjc.ca
buzzneakers.com
theatre-embellie.fr
omnicademy.com
site.markkit.com.br
scentedlair.com
9nar.com
limounie.com
yourcosmicbeing.com
maxcube24.com.ua
brownswoodblog.com
arazi.eus
fire-space.com
sjtpo.org
fta-media.com
finnergo.eu
parseport.com
photographycreativity.co.uk
irizar.com
mieleshopping.it
golfclublandgoednieuwkerk.nl
ufovidmag.com
dentalcircle.com
ilveshistoria.com
taulunkartano.fi
dreamvoiceclub.org
tothebackofthemoon.com
laaisterplakky.nl
t3brothers.com
hutchstyle.co.uk
jeanmonti.com
georgemuncey.com
donau-guides.eu
asiaartgallery.jp
unexplored.gr
professionetata.com
eurethicsport.eu
rivermusic.nl
pxsrl.it
lmmont.sk
breakluckrecords.com
housesofwa.com
alcye.com
casinodepositors.com
fotoslubna.com
wribrazil.com
imaginekithomes.co.nz
nutriwell.com.sg
5pointpt.com
verbouwingsdouche.nl
catchup-mag.com
denhaagfoodie.nl
framemyballs.com
opticahubertruiz.com
malzomattalar.com
zumrutkuyutemel.com
gaearoyals.com
ya-elka.ru
geoweb.software
watchsale.biz
flossmoordental.com
wallflowersandrakes.com
tzn.nu
onesynergyinternational.com
phukienbepthanhdat.com
zwemofficial.nl
leadforensics.com
profiz.com
strauchs-wanderlust.info
sharonalbrightdds.com
perceptdecor.com
energosbit-rp.ru
billyoart.com
greeneyetattoo.com
brisbaneosteopathic.com.au
chorusconsulting.net
outstandingminialbums.com
santastoy.store
airvapourbarrier.com
lagschools.ng
efficiencyconsulting.es
ramirezprono.com
kafkacare.com
jakubrybak.com
mediabolmong.com
kartuindonesia.com
g2mediainc.com
tradenavigator.ch
oraweb.net
angelsmirrorus.com
breathebettertolivebetter.com
uci-france.fr
pankiss.ru
jobstomoveamerica.org
o90.dk
loysonbryan.com
jag.me
creohn.de
medicalsupportco.com
ikadomus.com
diakonie-weitramsdorf-sesslach.de
unislaw-narty.pl
lyricalduniya.com
imagine-entertainment.com
girlish.ae
egpu.fr
scotlandsroute66.co.uk
texanscan.org
boloria.de
happycatering.de
jalkapuu.net
spectamarketingdigital.com.br
kvetymichalovce.sk
dennisverschuur.com
jlwilsonbooks.com
charlesfrancis.photos
bundan.com
xtensifi.com
theboardroomafrica.com
noda.com.ua
bilius.dk
direitapernambuco.com
mariajosediazdemera.com
peninggibadan.co.id
indiebizadvocates.org
xn--ziinoapte-6ld.ro
janasfokus.com
paardcentraal.nl
patriotcleaning.net
cotton-avenue.co.il
davedavisphotos.com
ceocenters.com
campinglaforetdetesse.com
levencovka.ru
spartamovers.com
cxcompany.com
renderbox.ch
letterscan.de
claudiakilian.de
sweetz.fr
adedesign.com
signededenroth.dk
premiumweb.com.ua:443
premier-iowa.com
thegetawaycollective.com
littlesaints.academy
slotenmakerszwijndrecht.nl
olry-cloisons.fr
avis.mantova.it
drnelsonpediatrics.com
bajova.sk
berdonllp.com
beandrivingschool.com.au
optigas.com
computer-place.de
licensed-public-adjuster.com
voice2biz.com
domaine-des-pothiers.com
michal-s.co.il
clemenfoto.dk
sachainchiuk.com
happylublog.wordpress.com
albcleaner.fr
pokemonturkiye.com
fi-institutionalfunds.com
distrifresh.com
poems-for-the-soul.ch
kerstliedjeszingen.nl
dinedrinkdetroit.com
hawthornsretirement.co.uk
aberdeenartwalk.org
hotjapaneselesbian.com
abulanov.com
tatyanakopieva.ru
chomiksy.net
vitoriaecoturismo.com.br
mindsparkescape.com
mamajenedesigns.com
bluetenreich-brilon.de
dogsunlimitedguide.com
hoteltantra.com
avisioninthedesert.com
innervisions-id.com
2020hindsight.info
skinkeeper.li
jonnyhooley.com
omegamarbella.com
entdoctor-durban.com
spacebel.be
devplus.be
motocrossplace.co.uk
anchelor.com
suonenjoen.fi
forumsittard.nl
amyandzac.com
111firstdelray.com
dieetuniversiteit.nl
hm-com.com
-
net
true
-
pid
30
-
prc
dbsnmp.exe
isqlplussvc.exe
mysqld.exe
winword.exe
tbirdconfig.exe
firefoxconfig.exe
agntsvc.exe
synctime.exe
ocautoupds.exe
msftesql.exe
xfssvccon.exe
powerpnt.exe
outlook.exe
mspub.exe
thebat64.exe
mysqld_opt.exe
onenote.exe
mydesktopqos.exe
thunderbird.exe
sqlservr.exe
sqlwriter.exe
dbeng50.exe
wordpad.exe
infopath.exe
excel.exe
thebat.exe
sqbcoreservice.exe
visio.exe
steam.exe
ocomm.exe
oracle.exe
msaccess.exe
mysqld_nt.exe
mydesktopservice.exe
ocssd.exe
encsvc.exe
sqlagent.exe
sqlbrowser.exe
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
97
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
법원 서류.doc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 법원 서류.doc.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
법원 서류.doc.exedescription ioc process File opened (read-only) \??\B: 법원 서류.doc.exe File opened (read-only) \??\G: 법원 서류.doc.exe File opened (read-only) \??\H: 법원 서류.doc.exe File opened (read-only) \??\K: 법원 서류.doc.exe File opened (read-only) \??\N: 법원 서류.doc.exe File opened (read-only) \??\U: 법원 서류.doc.exe File opened (read-only) \??\V: 법원 서류.doc.exe File opened (read-only) \??\F: 법원 서류.doc.exe File opened (read-only) \??\O: 법원 서류.doc.exe File opened (read-only) \??\S: 법원 서류.doc.exe File opened (read-only) \??\W: 법원 서류.doc.exe File opened (read-only) \??\Y: 법원 서류.doc.exe File opened (read-only) \??\Z: 법원 서류.doc.exe File opened (read-only) \??\R: 법원 서류.doc.exe File opened (read-only) \??\E: 법원 서류.doc.exe File opened (read-only) \??\I: 법원 서류.doc.exe File opened (read-only) \??\J: 법원 서류.doc.exe File opened (read-only) \??\L: 법원 서류.doc.exe File opened (read-only) \??\M: 법원 서류.doc.exe File opened (read-only) \??\P: 법원 서류.doc.exe File opened (read-only) \??\Q: 법원 서류.doc.exe File opened (read-only) \??\A: 법원 서류.doc.exe File opened (read-only) \??\T: 법원 서류.doc.exe File opened (read-only) \??\X: 법원 서류.doc.exe -
Drops file in Windows directory 64 IoCs
Processes:
법원 서류.doc.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_de-de_a66d5af59c568371_ngcsvc.dll.mui_96312421 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_de-de_76fd7ea1d674a877_services.exe.mui_86ea5e71 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_52d81c9b0be0737d_dsreg.dll.mui_5d9efc7e 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-oleacc_31bf3856ad364e35_10.0.19041.746_none_487e089a81330048_oleacchooks.dll_f9282ebb 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shacct_31bf3856ad364e35_10.0.19041.610_none_a415ea988031a7e3_shacct.dll_f953c950 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-schannel_31bf3856ad364e35_10.0.19041.1_none_e25c02e429011f37.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.19041.789_none_93e6eb93accdac11.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1202_none_a391067a6b9b433c_applockerfltr.sys_6a9d2cba 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.1_none_6b65f79c2d70b55d.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.19041.264_none_85aaecefd5053e96.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_379018f38e600fa9_mofd.dll.mui_793ef98d 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1_es-es_0f152ce0e82a41ba_applockercsp.dll.mui_d2a0df70 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smbminirdr_31bf3856ad364e35_10.0.19041.1202_none_f4519a1f0653c6be.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b103cf1329c78478_tcpipcfg.dll.mui_a5479fc1 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..onment-core-tcbboot_31bf3856ad364e35_10.0.19041.1288_none_75442af2fe19577c_tcblaunch.exe_d6a1d462 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.19041.1_de-de_ab07071d714e7ecb_wevtsvc.dll.mui_f41bf7b7 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.19041.1_it-it_635a71dbe36ecef6.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_sv-se_4660a589b1629b9a_comctl32.dll.mui_0da4e682 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9ab96313e8d638bb_iscsi.psd1_8e91985d 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_c2f24ed0bf347cdd.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..orkconnectionbroker_31bf3856ad364e35_10.0.19041.1202_none_d16f7d1b7a182564.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_21ce86839bea8f66_mountmgr.sys.mui_71b54a25 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.19041.1_de-de_f799016caa0fe521_rpcepmap.dll.mui_349798e1 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1_none_ef1691668a233417.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.19041.1202_none_574a25a5ee347454.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptdll-dll_31bf3856ad364e35_10.0.19041.546_none_e397cce70c94bb9c.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-raspptp_31bf3856ad364e35_10.0.19041.488_none_77bf24d746c4ccde_raspptp.sys_25e89db1 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.19041.1_none_df4e7b90a62a08e3.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.19041.1266_none_123a7540f6f47a8e_dcomp.dll_a2e93a7d 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.19041.1_none_987b063fd85ba334.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_10.0.19041.264_none_f0131a4775eba512.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_10.0.19041.1_none_de146f6286602c80.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_10.0.19041.1288_none_20903f2898bc8195_dxgkrnl.sys_8aad3dfb 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.19041.1_de-de_f88fd8d1e0995d78_wbiosrvc.dll.mui_d5b8b2b8 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_es-es_ade4b30e36254a8c.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_82c8254d1d7289f0.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ndis-minwin_31bf3856ad364e35_10.0.19041.1151_none_ce259344dd35ac79_ndistrace.mof_39e216d3 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_sr-..-rs_1cb5fa5a0cb5c7d8.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_a6b88435313203cc_umpo.dll.mui_cac12e54 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.746_none_f62e5d000d9f4bd9_pppmenu.scp_74b84d65 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msasn1_31bf3856ad364e35_10.0.19041.546_none_a5535ccb0430ada2.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-twinapi_31bf3856ad364e35_10.0.19041.264_none_a3937a58f9e08a11.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_10.0.19041.546_none_db05a21561861236_ws2_32.dll_89b90cb6 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.19041.1202_none_5e2a05871a9a6485_winsku.dll_6e6c7799 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_hu-hu_1ebc558b5fa34c0d_bootmgfw.efi.mui_a6e78cfa 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_9bf95f22f35ed346.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-gb_0b85a8bb8c7e851a_comctl32.dll.mui_0da4e682 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-netapi32_31bf3856ad364e35_10.0.19041.546_none_6b2d6213605f28a9.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_d882497830128342_userdeviceregistration.ngc.dll.mui_d2c6ca95 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.19041.964_none_2c44d0507f4744ae_winipsec.mof_abfff45a 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_ro-ro_c00d07e45f7b48b1.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d3b4f4ac4e91ea52.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_8e9e696a3f31534b_appidsvc.dll.mui_6717e231 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_10.0.19041.1266_none_153dc4c3b9f13a6f.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_uk-ua_4f4fad6deb8a668a.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_pt-pt_c0ec67041f3e7ed5.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a_setupapi.dll_8d9de2e7 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7_mprtp.dll_0827df93 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-onecore-pnp-umpnpmgr_31bf3856ad364e35_10.0.19041.662_none_052522aee08549d0.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938_kerbclientshared.dll_1fa7b356 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atlthunk_31bf3856ad364e35_10.0.19041.546_none_76347da1644ddd4f.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.19041.1_none_d622571db1e4d62c.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..onment-core-tcbboot_31bf3856ad364e35_10.0.19041.264_none_de5e254ba7caf399.manifest 법원 서류.doc.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_es-es_7ca0f0fcf72fec95.manifest 법원 서류.doc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
법원 서류.doc.exepid process 2092 법원 서류.doc.exe 2092 법원 서류.doc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
법원 서류.doc.exedescription pid process target process PID 2092 wrote to memory of 4576 2092 법원 서류.doc.exe cmd.exe PID 2092 wrote to memory of 4576 2092 법원 서류.doc.exe cmd.exe PID 2092 wrote to memory of 4576 2092 법원 서류.doc.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\법원 서류.doc.exe"C:\Users\Admin\AppData\Local\Temp\법원 서류.doc.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2092-130-0x0000000000678000-0x0000000000690000-memory.dmpFilesize
96KB
-
memory/2092-131-0x0000000000678000-0x0000000000690000-memory.dmpFilesize
96KB
-
memory/2092-132-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/4576-133-0x0000000000000000-mapping.dmp