Resubmissions
14-02-2023 04:33
230214-e6z8ssab4w 1010-02-2023 07:04
230210-hv9vmsgg96 1010-02-2023 06:59
230210-hsg2vage79 1010-02-2023 06:49
230210-hlmzhsfe71 1010-02-2023 06:42
230210-hgvtkaff86 1009-02-2023 14:35
230209-rx1jesfg53 10Analysis
-
max time kernel
519s -
max time network
467s -
platform
windows10-1703_x64 -
resource
win10-20220901-es -
resource tags
arch:x64arch:x86image:win10-20220901-eslocale:es-esos:windows10-1703-x64systemwindows -
submitted
10-02-2023 07:04
Behavioral task
behavioral1
Sample
2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe
Resource
win10-20220901-es
General
-
Target
2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe
-
Size
219KB
-
MD5
69d6f75b8cfd52216a6ff4b0861655ef
-
SHA1
2c644dac27af557bc1a8329baf943e8b81170b2e
-
SHA256
349bdb12a75fbfc2803f988862764ba6058b371728930f8dcb248f105ce607f7
-
SHA512
48ab4714e8ee1a0f7327160ebeacae22a31efc24fd89822521d5fff0c44fbb814646457cb8eda9429316102982f13bdd0f29f4189902e7a3e7ecfd3c055035fa
-
SSDEEP
3072:ur85Ce8F63VETed7/kBazzFbULpC15RM4ENKQ4JTBg0D:u9eS63VE6F/M4qE15NENn4FD
Malware Config
Extracted
C:\l1uau-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7ACBB3125E3C5BEB
http://decryptor.top/7ACBB3125E3C5BEB
Extracted
sodinokibi
19
96
speiserei-hannover.de
delegationhub.com
subyard.com
martha-frets-ceramics.nl
hostastay.com
luvbec.com
dayenne-styling.nl
111firstdelray.com
lidkopingsnytt.nu
fbmagazine.ru
peppergreenfarmcatering.com.au
ya-elka.ru
mundo-pieces-auto.fr
mediabolmong.com
yuanshenghotel.com
fidelitytitleoregon.com
penumbuhrambutkeiskei.com
2020hindsight.info
aslog.fr
teethinadaydentalimplants.com
baumfinancialservices.com
business-basic.de
awaitspain.com
apiarista.de
moira-cristescu.com
reizenmetkinderen.be
min-virksomhed.dk
altocontatto.net
etgdogz.de
beandrivingschool.com.au
kvetymichalovce.sk
breathebettertolivebetter.com
fla.se
rentingwell.com
iron-mine.ru
hinotruckwreckers.com.au
endlessrealms.net
matteoruzzaofficial.com
signamedia.de
dreamvoiceclub.org
parksideseniorliving.net
redpebblephotography.com
palmenhaus-erfurt.de
omnicademy.com
spartamovers.com
catering.com
from02pro.com
kryddersnapsen.dk
rvside.com
mike.matthies.de
gardenpartner.pl
internalresults.com
descargandoprogramas.com
publicompserver.de
soundseeing.net
lagschools.ng
anleggsregisteret.no
onlinetvgroup.com
physio-lang.de
insane.agency
andermattswisswatches.ch
professionetata.com
casinodepositors.com
cxcompany.com
elitkeramika-shop.com.ua
glende-pflanzenparadies.de
1deals.com
broccolisoep.nl
aquacheck.co.za
axisoflove.org:443
tilldeeke.de
blueridgeheritage.com
lifeinbreaths.com
welovecustomers.fr
oro.ae
walterman.es
justaroundthecornerpetsit.com
o90.dk
finsahome.co.uk
domaine-des-pothiers.com
rapid5kloan.org
supercarhire.co.uk
pilotgreen.com
bg.szczecin.pl
furland.ru
zaczytana.com
lassocrm.com
alharsunindo.com
nicksrock.com
agendatwentytwenty.com
circuit-diagramz.com
invela.dk
ketomealprep.academy
baikalflot.ru
photonag.com
allinonecampaign.com
campusce.com
dinedrinkdetroit.com
buerocenter-butzbach-werbemittel.de
fotoeditores.com
singletonfinancial.com
billscars.net
kompresory-opravy.com
lovetzuchia.com
saboboxtel.uk
utilisacteur.fr
linkbuilding.life
schlagbohrmaschinetests.com
tages-geldvergleich.de
cymru.futbol
skyscanner.ro
baptistdistinctives.org
schroederschoembs.com
lumturo.academy
circlecitydj.com
voetbalhoogeveen.nl
perceptdecor.com
inewsstar.com
globalcompliancenews.com
santastoy.store
mieleshopping.it
noda.com.ua
zorgboerderijravensbosch.nl
kookooo.com
zinnystar.com
imajyuku-sozoku.com
epsondriversforwindows.com
gsconcretecoatings.com
yournextshoes.com
arearugcleaningnyc.com
tanatek.com
christopherhannan.com
leijstrom.com
pxsrl.it
tastevirginia.com
opticahubertruiz.com
cesep2019.com
katherinealy.com
bendel-partner.de
towelroot.co
ddmgen.com
artcase.pl
rhino-turf.com
jdscenter.com
wademurray.com
so-sage.fr
frankgoll.com
reputation-medical.online
tradenavigator.ch
alcye.com
midwestschool.org
thenalpa.com
xn--80abehgab4ak0ddz.xn--p1ai
nevadaruralhousingstudies.org
stralsund-ansichten.de
secrets-clubs.co.uk
breakluckrecords.com
opt4cdi.com
ijsselbeton.nl
werkzeugtrolley.net
aciscomputers.com
zealcon.ae
leatherjees.com
sharonalbrightdds.com
klapanvent.ru
jlgraphisme.fr
expohomes.com
sycamoregreenapts.com
test-teleachat.fr
maryairbnb.wordpress.com
cmeow.com
xrresources.com
bcabattoirs.org
hotjapaneselesbian.com
campusescalade.com
hartofurniture.com
elliemaccreative.wordpress.com
innersurrection.com
agenceassemble.fr
oportowebdesign.com
heuvelland-oaze.nl
skyboundnutrition.co.uk
yayasanprimaunggul.org
keyboardjournal.com
fskhjalmar.se
sveneulberg.de
jobkiwi.com.ng
cyberpromote.de
jonnyhooley.com
larchwoodmarketing.com
wribrazil.com
belofloripa.be
janellrardon.com
jobstomoveamerica.org
dmlcpa.com
licensed-public-adjuster.com
web865.com
uci-france.fr
testitjavertailut.net
amelielecompte.wordpress.com
jax-interim-and-projectmanagement.com
dnqa.co.uk
metriplica.academy
hepishopping.com
cmascd.com
fi-institutionalfunds.com
ncjc.ca
basindentistry.com
concontactodirecto.com
hotelturbo.de
latteswithleslie.com
xn--billigafrgpatroner-stb.se
enactusnhlstenden.com
letsstopsmoking.co.uk
eurethicsport.eu
sellthewrightway.com
mbuildinghomes.com
springfieldplumbermo.com
dennisverschuur.com
sprintcoach.com
rtc24.com
neolaiamedispa.com
raeoflightmusic.com
rsidesigns.com
volta.plus
polynine.com
mustangmarketinggroup.com
tzn.nu
profiz.com
acornishstudio.co.uk
beauty-traveller.com
leopoldineroux.com
husetsanitas.dk
schluesseldienste-hannover.de
davedavisphotos.com
adaduga.info
cotton-avenue.co.il
eshop.design
iexpert99.com
direitapernambuco.com
flossmoordental.com
bumbipdeco.site
chris-anne.com
alexwenzel.de
therapybusinessacademy.com
startuplive.org
thesilkroadny.com
bookingwheel.com
catchup-mag.com
pazarspor.org.tr
o2o-academy.com
block-optic.com
distrifresh.com
mind2muscle.nl
cuadc.org
saberconcrete.com
mazift.dk
orchardbrickwork.com
housesofwa.com
christianscholz.de
biketruck.de
kuriero.pro
wallflowersandrakes.com
p-ride.live
molinum.pt
colored-shelves.com
bajova.sk
tbalp.co.uk
studionumerik.fr
energosbit-rp.ru
janmorgenstern.com
jefersonalessandro.com
margaretmcshane.com
agencewho-aixenprovence.fr
globalskills.pt
jameswilliamspainting.com
liverpoolabudhabi.ae
janasfokus.com
edrickennedymacfoy.com
designimage.ae
palema.gr
forskolinslimeffect.net
11.in.ua
vipcarrental.ae
edvestors.org
goodboyscustom.com
gavelmasters.com
the-beauty-guides.com
goddardleadership.org
goeppinger-teppichreinigung.de
nauticmarine.dk
bodet150ans.com
osn.ro
bringmehope.org
bychowo.pl
golfclublandgoednieuwkerk.nl
ciga-france.fr
rename.kz
mjk.digital
eastgrinsteadwingchun.com
eos-horlogerie.com
imaginekithomes.co.nz
jacquesgarcianoto.com
guohedd.com
cascinarosa33.it
deduktia.fi
successcolony.com.ng
focuskontur.com
riffenmattgarage.ch
strauchs-wanderlust.info
oexebusiness.com
ziliak.com
forumsittard.nl
bd2fly.com
weddingceremonieswithtim.com
pharmeko-group.com
glas-kuck.de
finnergo.eu
carmel-york.com
nourella.com
mamajenedesigns.com
stagefxinc.com
angelsmirrorus.com
levencovka.ru
transifer.fr
fridakids.com
silkeight.com
kemtron.fr
dierenambulancealkmaar.nl
endstarvation.com
unboxtherapy.site
muller.nl
bluemarinefoundation.com
gurutechnologies.net
brannbornfastigheter.se
markseymourphotography.co.uk
birthplacemag.com
gbk-tp1.de
bundan.com
unexplored.gr
mindsparkescape.com
agora-collectivites.com
csaballoons.com
bakingismyyoga.com
alpesiberie.com
aheadloftladders.co.uk
b3b.ch
xn--80addfr4ahr.dp.ua
solutionshosting.co.uk
theater-lueneburg.de
randyabrown.com
napisat-pismo-gubernatoru.ru:443
vdolg24.online
adabible.org
airserviceunlimited.com
kombi-dress.com
curtsdiscountguns.com
relevantonline.eu
laaisterplakky.nl
anchelor.com
rishigangoly.com
watchsale.biz
nxtstg.org
alnectus.com
yourhappyevents.fr
rhino-storage.co.uk
bratek-immobilien.de
jandhpest.com
makingmillionaires.net
liveyourheartout.co
natturestaurante.com.br
handyman-silkeborg.dk
cookinn.nl
precisetemp.com
schulz-moelln.de
affligemsehondenschool.be
karelinjames.com
mrcar.nl
queertube.net
brownswoodblog.com
90nguyentuan.com
ruggestar.ch
purepreprod4.com
arazi.eus
valiant-voice.com
medicalsupportco.com
sber-biznes.com
miscbo.it
traitware.com
omegamarbella.com
harleystreetspineclinic.com
alaskaremote.com
triplettagaite.fr
bohrlochversicherung.info
efficiencyconsulting.es
fta-media.com
ykobbqchicken.ca
ledyoucan.com
envomask.com
kausette.com
martinipstudios.com
dentallabor-luenen.de
veggienessa.com
tutvracks.com
vedsegaard.dk
four-ways.com
mesajjongeren.nl
catalyseurdetransformation.com
grafikstudio-visuell.de
laylavalentine.com
altitudeboise.com
naukaip.ru
lollachiro.com
stringnosis.academy
pankiss.ru
innovationgames-brabant.nl
banukumbak.com
boloria.de
irizar.com
khtrx.com
ludoil.it
kryptos72.com
logosindustries.com
greeneyetattoo.com
the-cupboard.co.uk
mrkluttz.com
k-v-f.de
thepixelfairy.com
salonlamar.nl
lattalvor.com
rolleepollee.com
ronielyn.com
5thactors.com
clemenfoto.dk
wineandgo.hu
rossomattonecase.it
stoneridgemontessori.com
optigas.com
rentsportsequip.com
epicjapanart.com
brunoimmobilier.com
girlish.ae
zuerich-umzug.ch
easydental.ae
slotenmakerszwijndrecht.nl
skooppi.fi
rivermusic.nl
luvinsburger.fr
keuken-prijs.nl
slotspinner.com
eafx.pro
kenmccallum.com
benchbiz.com
galaniuklaw.com
fysiotherapierijnmond.nl
zumrutkuyutemel.com
bescomedical.de
dr-vita.de
powershell.su
denverwynkoopdentist.com
docarefoundation.org
ahgarage.com
arthakapitalforvaltning.dk
brinkdoepke.eu
leansupremegarcinia.net
peninggibadan.co.id
hiddensee-buhne11.de
nginx.com
azloans.com
bjornvanvulpen.nl
tesisatonarim.com
site.markkit.com.br
mursall.de
profibersan.com
solidhosting.nl
yourcosmicbeing.com
ceocenters.com
tatyanakopieva.ru
jobscore.com
artvark.nl
thegrinningmanmusical.com
bourchier.org
lesyeuxbleus.net
groovedealers.ru
triavlete.com
latableacrepes-meaux.fr
bagaholics.in
electricianul.com
alabamaroofingllc.com
perfectgrin.com
putzen-reinigen.com
fotoslubna.com
eatyoveges.com
nieuwsindeklas.be
trainiumacademy.com
mariajosediazdemera.com
radishallgood.com
whoopingcrane.com
daveystownhouse.com
oththukaruva.com
a-zpaperwork.eu
dieetuniversiteit.nl
go.labibini.ch
thestudio.academy
istantidigitali.com
louiedager.com
factoriareloj.com
cp-bap.de
hutchstyle.co.uk
advanced-removals.co.uk
cops4causes.org
mediogiro.com.ar
chatberlin.de
iactechnologies.net
chomiksy.net
mensemetgesigte.co.za
glennverschueren.be
geoweb.software
matthieupetel.fr
leloupblanc.gr
global-migrate.com
otpusk.zp.ua
limmortelyouth.com
buffdaddyblog.com
chatterchatterchatter.com
blucamp.com
deziplan.ru
proffteplo.com
fitnessblenderstory.com
akcadagofis.com
molade.nl
tetameble.pl
airvapourbarrier.com
mindfuelers.com
richardkershawwines.co.za
ikadomus.com
nalliasmali.net
sjtpo.org
eksperdanismanlik.com
awaisghauri.com
ocduiblog.com
atrgroup.it
happycatering.de
factorywizuk.com
kelsigordon.com
silverbird.dk
futurenetworking.com
encounter-p.net
wordpress.idium.no
nepressurecleaning.com
jalkapuu.net
myfbateam.com
nrgvalue.com
jakubrybak.com
rino-gmbh.com
johnkoen.com
smartworkplaza.com
animalfood-online.de
fascaonline.com
egpu.fr
ayudaespiritualtamara.com
primemarineengineering.com
triplettabordeaux.fr
lisa-poncon.fr
itheroes.dk
saint-malo-developpement.fr
cardsandloyalty.com
myplaywin3.com
topautoinsurers.net
reygroup.pt
xn--ziinoapte-6ld.ro
campinglaforetdetesse.com
ivancacu.com
sarahspics.co.uk
kafkacare.com
dogsunlimitedguide.com
galatee-couture.com
amyandzac.com
bridalcave.com
smarttourism.academy
alltagsrassismus-entknoten.de
aberdeenartwalk.org
andrealuchesi.it
cc-experts.de
azerbaycanas.com
sytzedevries.com
uncensoredhentaigif.com
kamin-somnium.de
operativadigital.com
suonenjoen.fi
bavovrienden.nl
condormobile.fr
rechtenplicht.be
zdrowieszczecin.pl
log-barn.co.uk
skoczynski.eu
mgimalta.com
craftingalegacy.com
jimprattmediations.com
citydogslife.com
rattanwarehouse.co.uk
mazzaropi.com.br
hekecrm.com
pvandambv.nl
onesynergyinternational.com
claudiakilian.de
advesa.com
parentsandkids.com
sppdstats.com
suitesartemis.gr
rarefoods.ro
adedesign.com
hospitalitytrainingsolutions.co.uk
trivselsguide.dk
rozmata.com
turing.academy
techybash.com
grupoexin10.com
asiaartgallery.jp
sshomme.com
pureelements.nl
sunsolutions.es
fire-space.com
patriotcleaning.net
agrifarm.dk
augen-praxisklinik-rostock.de
geitoniatonaggelon.gr
shortysspices.com
bodymindchallenger.com
bayshoreelite.com
goodherbalhealth.com
subquercy.fr
sololibrerie.it
michal-s.co.il
patassociation.com
jayfurnitureco.com
thisprettyhair.com
ncn.nl
animation-pro.co.uk
leadforensics.com
fluzfluzrewards.com
stathmoulis.gr
loparnille.se
pedmanson.com
placermonticello.com
graygreenbiomedservices.com
hvitfeldt.dk
livedeveloper.com
racefietsenblog.nl
druktemakersheerenveen.nl
modamarfil.com
neonodi.be
boyfriendsgoal.site
krishnabrawijaya.com
loysonbryan.com
smartspeak.com
scotlandsroute66.co.uk
mediahub.co.nz
drbrianhweeks.com
billigeflybilletter.dk
fanuli.com.au
chinowarehousespace.com
sachainchiuk.com
plbinsurance.com
wasnederland.nl
acibademmobil.com.tr
bcmets.info
humanviruses.org
donau-guides.eu
piestar.com
pubcon.com
universelle.fr
eventosvirtualesexitosos.com
pixelhealth.net
lashandbrowenvy.com
quitescorting.com
hom-frisor.dk
jaaphoekzema.nl
hnkns.com
ronaldhendriks.nl
ultimatelifesource.com
magrinya.net
prodentalblue.com
malzomattalar.com
protoplay.ca
levelseven.be
marcandy.com
julielusktherapy.com
mrmac.com
cap29010.it
signededenroth.dk
charlottelhanna.com
cl0nazepamblog.com
mangimirossana.it
ilveshistoria.com
pinkxgayvideoawards.com
brisbaneosteopathic.com.au
nuohous.com
devplus.be
advancedeyecare.com
skinkeeper.li
nexstagefinancial.com
hypogenforensic.com
die-immo-agentur.de
haus-landliebe.de
cincinnatiphotocompany.org
jlwilsonbooks.com
kdbrh.com
ninjaki.com
nutriwell.com.sg
karmeliterviertel.com
kristianboennelykke.dk
avisioninthedesert.com
malevannye.ru
dcc-eu.com
satoblog.org
elex.is
lsngroupe.com
auberives-sur-vareze.fr
stanleyqualitysystems.com
gta-jjb.fr
enews-qca.com
annenymus.com
diverfiestas.com.es
jglconsultancy.com
palmecophilippines.com
simpleitsolutions.ch
monstarrsoccer.com
photographycreativity.co.uk
adterium.com
nykfdyrehospital.dk
aktivfriskcenter.se
cac2040.com
gratiocafeblog.wordpress.com
kartuindonesia.com
pokemonturkiye.com
c-sprop.com
cssp-mediation.org
burg-zelem.de
fsbforsale.com
morgansconsult.com
albcleaner.fr
hawthornsretirement.co.uk
hoteltantra.com
9nar.com
antesacademy.it
tellthebell.website
dinecorp.com
datatri.be
oncarrot.com
onlinemarketingsurgery.co.uk
5pointpt.com
greenrider.nl
pourlabretagne.bzh
hawaiisteelbuilding.com
auto-opel.ro
rokthetalk.com
frimec-international.es
smartercashsystem.com
renderbox.ch
specialtyhomeservicesllc.com
olry-cloisons.fr
tramadolhealth.com
internestdigital.com
parisschool.ru
johnstonmingmanning.com
awag-blog.de
kosten-vochtbestrijding.be
outstandingminialbums.com
ygallerysalonsoho.com:443
frameshift.it
cainlaw-okc.com
craftron.com
carolynfriedlander.com
mondolandscapes.com
duthler.nl
diakonie-weitramsdorf-sesslach.de
richardiv.com
yvesdoin-aquarelles.fr
pajagus.fr
g2mediainc.com
betterce.com
crestgood.com
nepal-pictures.com
limounie.com
arabianmice.com
mariannelemenestrel.com
bonitabeachassociation.com
activeterroristwarningcompany.com
drnelsonpediatrics.com
johnsonweekly.com
hensleymarketing.com
fazagostar.co
qandmmusiccenter.com
creohn.de
lovcase.com
denhaagfoodie.nl
sweetz.fr
look.academy
almamidwifery.com
letterscan.de
berdonllp.com
the5thquestion.com
metcalfe.ca
production-stills.co.uk
angeleyezstripclub.com
premiumweb.com.ua:443
prometeyagro.com.ua
belinda.af
haard-totaal.nl
juergenblaetz.de
netadultere.fr
spectamarketingdigital.com.br
kerstliedjeszingen.nl
georgemuncey.com
magnetvisual.com
achetrabalhos.com
poems-for-the-soul.ch
alene.co
lunoluno.com
banksrl.co.za
entdoctor-durban.com
michaelfiegel.com
masecologicos.com
coachpreneuracademy.com
ufovidmag.com
narca.net
paradigmlandscape.com
apogeeconseils.fr
bellesiniacademy.org
mariamalmahdi.com
pays-saint-flour.fr
newonestop.com
hameghlim.com
lexced.com
scietech.academy
switch-made.com
aceroprime.com
theboardroomafrica.com
kiraribeaute-nani.com
ingresosextras.online
avtoboss163.ru:443
alisodentalcare.com
zwemofficial.nl
scentedlair.com
line-x.co.uk
premier-iowa.com
carsten.sparen-it.de
spirello.nl
tchernia-conseil.fr
vitoriaecoturismo.com.br
buonabitare.com
vitormmcosta.com
angelika-schwarz.com
heimdalbygg.no
livelai.com
legundschiess.de
ox-home.com
wirmuessenreden.com
holocine.de
mslp.org
explora.nl
drbenveniste.com
metallbau-hartmann.eu
toranjtuition.org
sbit.ag
worldproskitour.com
askstaffing.com
hm-com.com
ramirezprono.com
victorvictoria.com
lookandseen.com
koncept-m.ru
landgoedspica.nl
dentalcircle.com
witraz.pl
marmarabasin.com
ownidentity.com
cleanroomequipment.ie
baita.ac
annida.it
amorbellezaysalud.com
sambaglow.com
memphishealthandwellness.com
parseport.com
rubyaudiology.com
motocrossplace.co.uk
kroophold-sjaelland.dk
barbaramcfadyenjewelry.com
qrs-international.com
brighthillgroup.com
vapiano.fr
gaearoyals.com
apmollerpension.com
kickittickets.com
acb-gruppe.ch
aoyama.ac
lapponiasafaris.com
espaciopolitica.com
skolaprome.eu
chainofhopeeurope.eu
dentourage.com
trevi-vl.ru
teamsegeln.ch
domilivefurniture.com
acumenconsultingcompany.com
floweringsun.org
ideamode.com
linearete.com
jag.me
atma.nl
gosouldeep.com
the3-week-diet.net
topvijesti.net
dibli.store
vvego.com
buzzneakers.com
taulunkartano.fi
nbva.co.uk
texanscan.org
corporacionrr.com
xtensifi.com
biodentify.ai
stressreliefadvice.com
jmmartinezilustrador.com
centuryvisionglobal.com
alattekniksipil.com
ced-elec.com
andreaskildegaard.dk
renehartman.nl
collegetennis.info
projektparkiet.pl
stabilisateur.fr
verbouwingsdouche.nl
t3brothers.com
smartmind.net
ilovefullcircle.com
advance-refle.com
ebible.co
littlesaints.academy
paardcentraal.nl
thehovecounsellingpractice.co.uk
tothebackofthemoon.com
redctei.co
mercadodelrio.com
forextimes.ru
funworx.de
theintellect.edu.pk
bulyginnikitav.000webhostapp.com
customroasts.com
kellengatton.com
clinic-beethovenstrasse-ag.ch
mayprogulka.ru
voice2biz.com
stitch-n-bitch.com
bilius.dk
jeanmonti.com
digitale-elite.de
drvoip.com
maxcube24.com.ua
aidanpublishing.co.uk
n-newmedia.de
mneti.ru
jollity.hu
gatlinburgcottage.com
bluetenreich-brilon.de
metroton.ru
nvisionsigns.com
citiscapes-art.com
liepertgrafikweb.at
dantreranch.com
avis.mantova.it
boomerslivinglively.com
promus.ca
webforsites.com
manzel.tn
astrographic.com
slideevents.be
craftstone.co.nz
der-stempelking.de
3daywebs.com
skidpiping.de
mikegoodfellow.co.uk
paprikapod.com
agriturismocastagneto.it
shrinkingplanet.com
greatofficespaces.net
selected-minds.de
pinthelook.com
alwaysdc.com
happylublog.wordpress.com
mollymccarthydesign.com
ntinasfiloxenia.gr
interlinkone.com
terraflair.de
speakaudible.com
tecleados.com
shortsalemap.com
chorusconsulting.net
phukienbepthanhdat.com
oscommunity.de
blavait.fr
phoenixcrane.com
comoserescritor.com
qwikcoach.com
biblica.com
mac-computer-support-hamburg.de
fixx-repair.com
eyedoctordallas.com
grancanariaregional.com
akwaba-safaris.com
motocrosshideout.com
lyricalduniya.com
ravage-webzine.nl
bubbalucious.com
pro-gamer.pl
imagine-entertainment.com
atelierkomon.com
nationnewsroom.com
k-zubki.ru
gazelle-du-web.com
pisofare.co
devus.de
abulanov.com
tweedekansenloket.nl
soncini.ch
thegetawaycollective.com
wg-heiligenstadt.de
autoteamlast.de
initconf.com
hostaletdelsindians.es
cormanmarketing.com
bmw-i-pure-impulse.com
innervisions-id.com
charlesfrancis.photos
teutoradio.de
wrinstitute.org
thiagoperez.com
bruut.online
bluelakevision.com
afbudsrejserallinclusive.dk
ikzoekgod.be
bertbutter.nl
muni.pe
indiebizadvocates.org
mahikuchen.com
computer-place.de
fann.ru
framemyballs.com
babysitting-hk.helpergo.co
wyreforest.net
evsynthacademy.org
rs-danmark.dk
tieronechic.com
theatre-embellie.fr
oraweb.net
lmmont.sk
rizplakatjaya.com
stage-infirmier.fr
amco.net.au
directique.com
pansionatblago.ru
lgiwines.com
m2graph.fr
hostingbangladesh.net
richardmaybury.co.uk
spacebel.be
sealgrinderpt.com
billyoart.com
sochi-okna23.ru
foerderverein-vatterschule.de
unislaw-narty.pl
scholarquotes.com
-
net
true
-
pid
19
-
prc
tbirdconfig
onenote
sqlbrowser
firefoxconfig
ocautoupds
ocssd
thebat
winword
mspub
dbeng50
steam
sqlwriter
sqlservr
msftesql
encsvc
infopath
mysqld_nt
sqlagent
mydesktopqos
synctime
wordpad
powerpnt
outlook
dbsnmp
isqlplussvc
ocomm
sqbcoreservice
oracle
thunderbird
xfssvccon
excel
mydesktopservice
msaccess
mysqld_opt
mysqld
agntsvc
thebat64
visio
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
96
-
svc
veeam
backup
sql
mepocs
sophos
svc$
vss
memtas
Signatures
-
Detect Neshta payload 46 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE family_neshta C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe family_neshta C:\PROGRA~2\MOZILL~1\UNINST~1.EXE family_neshta C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE family_neshta C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE family_neshta C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe family_neshta C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE family_neshta C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXE family_neshta C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exe family_neshta C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta C:\PROGRA~2\Google\Update\DISABL~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE family_neshta C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE family_neshta C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe family_neshta C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe family_neshta C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE family_neshta C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi/Revil sample 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe family_sodinokobi C:\Users\Admin\AppData\Local\Temp\3582-490\2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe family_sodinokobi -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exedescription ioc process File renamed C:\Users\Admin\Pictures\PushOut.crw => \??\c:\users\admin\pictures\PushOut.crw.l1uau 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File renamed C:\Users\Admin\Pictures\RedoDismount.png => \??\c:\users\admin\pictures\RedoDismount.png.l1uau 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File renamed C:\Users\Admin\Pictures\RevokeStep.crw => \??\c:\users\admin\pictures\RevokeStep.crw.l1uau 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File renamed C:\Users\Admin\Pictures\UnpublishSearch.png => \??\c:\users\admin\pictures\UnpublishSearch.png.l1uau 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File renamed C:\Users\Admin\Pictures\MergePing.raw => \??\c:\users\admin\pictures\MergePing.raw.l1uau 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File renamed C:\Users\Admin\Pictures\NewSync.png => \??\c:\users\admin\pictures\NewSync.png.l1uau 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File renamed C:\Users\Admin\Pictures\OpenTest.tif => \??\c:\users\admin\pictures\OpenTest.tif.l1uau 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File renamed C:\Users\Admin\Pictures\PublishResize.crw => \??\c:\users\admin\pictures\PublishResize.crw.l1uau 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File renamed C:\Users\Admin\Pictures\SkipRestore.crw => \??\c:\users\admin\pictures\SkipRestore.crw.l1uau 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File renamed C:\Users\Admin\Pictures\UnprotectReceive.raw => \??\c:\users\admin\pictures\UnprotectReceive.raw.l1uau 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe -
Executes dropped EXE 2 IoCs
Processes:
2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exesvchost.compid process 3636 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe 4844 svchost.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 26 IoCs
Processes:
2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exedescription ioc process File opened for modification \??\c:\users\admin\music\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\videos\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\public\desktop\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\public\music\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\program files (x86)\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\public\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\desktop\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\public\downloads\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\public\pictures\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\pictures\camera roll\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\pictures\saved pictures\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\program files\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\contacts\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\saved games\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\public\documents\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\public\libraries\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\public\videos\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\favorites\links\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\documents\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\downloads\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\onedrive\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\pictures\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\searches\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\public\accountpictures\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\favorites\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\users\admin\links\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exedescription ioc process File opened (read-only) \??\V: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\Y: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\E: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\I: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\R: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\M: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\O: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\Q: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\U: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\W: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\B: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\G: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\H: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\T: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\Z: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\D: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\A: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\J: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\P: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\N: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\S: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\X: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\F: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\K: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened (read-only) \??\L: 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\j8lh.bmp" 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exesvchost.com2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exedescription ioc process File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe svchost.com File opened for modification \??\c:\program files\OutUnprotect.gif 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe svchost.com File opened for modification \??\c:\program files\RestartUnprotect.rtf 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\program files\SelectOptimize.html 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe svchost.com File opened for modification \??\c:\program files\InstallTest.vdw 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe svchost.com File opened for modification \??\c:\program files\SyncNew.3g2 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\program files (x86)\desktop.ini 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe svchost.com File opened for modification \??\c:\program files\MountComplete.3gpp 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File created \??\c:\program files\l1uau-readme.txt 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe svchost.com File opened for modification \??\c:\program files\RedoUse.DVR-MS 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\program files\SendConvertFrom.rmi 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File created \??\c:\program files (x86)\l1uau-readme.txt 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.com File opened for modification \??\c:\program files\EnterOptimize.7z 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\program files\ConvertToReceive.ttf 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\program files\PopMove.ttc 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe svchost.com File opened for modification \??\c:\program files\EnterJoin.3gp2 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification \??\c:\program files\RequestPublish.html 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe -
Drops file in Windows directory 10 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exemspaint.exe2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exesvchost.comdescription ioc process File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\svchost.com 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4676 vssadmin.exe -
Processes:
IEXPLORE.EXEiexplore.exeMicrosoftEdgeCP.exebrowser_broker.exebrowser_broker.exeMicrosoftEdge.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2820048200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382777928" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31014174" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2814892292" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31014174" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2814735585" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31014174" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "382826514" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2820048200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31014174" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "382794523" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D27E75E0-A911-11ED-9425-722084C0667F} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exefirefox.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fd3587601e3dd901 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "1280" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Pack = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{D05B8EB0-5D6F-40C2-A6D7-77AB88463CEA}" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 7bef3f1b21bed801 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings firefox.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" MicrosoftEdge.exe -
Processes:
2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXEnotepad.exepid process 4748 NOTEPAD.EXE 1276 notepad.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exemspaint.exepid process 3636 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe 3636 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe 4160 mspaint.exe 4160 mspaint.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 4360 OpenWith.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdgeCP.exepid process 3504 MicrosoftEdgeCP.exe 1936 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
vssvc.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exefirefox.exedescription pid process Token: SeBackupPrivilege 4144 vssvc.exe Token: SeRestorePrivilege 4144 vssvc.exe Token: SeAuditPrivilege 4144 vssvc.exe Token: SeDebugPrivilege 2648 MicrosoftEdge.exe Token: SeDebugPrivilege 2648 MicrosoftEdge.exe Token: SeDebugPrivilege 2648 MicrosoftEdge.exe Token: SeDebugPrivilege 2648 MicrosoftEdge.exe Token: SeDebugPrivilege 1344 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1344 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1344 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1344 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3560 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3560 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2648 MicrosoftEdge.exe Token: SeTcbPrivilege 4184 svchost.exe Token: SeRestorePrivilege 4184 svchost.exe Token: SeDebugPrivilege 1544 firefox.exe Token: SeDebugPrivilege 1544 firefox.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
iexplore.exefirefox.exepid process 4348 iexplore.exe 1544 firefox.exe 1544 firefox.exe 1544 firefox.exe 1544 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 1544 firefox.exe 1544 firefox.exe 1544 firefox.exe -
Suspicious use of SetWindowsHookEx 42 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeiexplore.exeIEXPLORE.EXEOpenWith.exefirefox.exeMicrosoftEdge.exeMicrosoftEdgeCP.exemspaint.exepid process 2648 MicrosoftEdge.exe 3504 MicrosoftEdgeCP.exe 3504 MicrosoftEdgeCP.exe 4348 iexplore.exe 4348 iexplore.exe 4716 IEXPLORE.EXE 4716 IEXPLORE.EXE 4716 IEXPLORE.EXE 4716 IEXPLORE.EXE 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 4360 OpenWith.exe 1544 firefox.exe 4716 IEXPLORE.EXE 4716 IEXPLORE.EXE 2464 MicrosoftEdge.exe 1936 MicrosoftEdgeCP.exe 1936 MicrosoftEdgeCP.exe 4160 mspaint.exe 4160 mspaint.exe 4160 mspaint.exe 4160 mspaint.exe 4716 IEXPLORE.EXE 4716 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exesvchost.comcmd.exeMicrosoftEdgeCP.exeiexplore.exesvchost.exeOpenWith.exefirefox.exefirefox.exedescription pid process target process PID 2792 wrote to memory of 3636 2792 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe PID 2792 wrote to memory of 3636 2792 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe PID 2792 wrote to memory of 3636 2792 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe PID 3636 wrote to memory of 4844 3636 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe svchost.com PID 3636 wrote to memory of 4844 3636 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe svchost.com PID 3636 wrote to memory of 4844 3636 2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe svchost.com PID 4844 wrote to memory of 4360 4844 svchost.com cmd.exe PID 4844 wrote to memory of 4360 4844 svchost.com cmd.exe PID 4844 wrote to memory of 4360 4844 svchost.com cmd.exe PID 4360 wrote to memory of 4676 4360 cmd.exe vssadmin.exe PID 4360 wrote to memory of 4676 4360 cmd.exe vssadmin.exe PID 4360 wrote to memory of 4676 4360 cmd.exe vssadmin.exe PID 3504 wrote to memory of 1344 3504 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 3504 wrote to memory of 1344 3504 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 3504 wrote to memory of 1344 3504 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4348 wrote to memory of 4716 4348 iexplore.exe IEXPLORE.EXE PID 4348 wrote to memory of 4716 4348 iexplore.exe IEXPLORE.EXE PID 4348 wrote to memory of 4716 4348 iexplore.exe IEXPLORE.EXE PID 4184 wrote to memory of 4556 4184 svchost.exe dashost.exe PID 4184 wrote to memory of 4556 4184 svchost.exe dashost.exe PID 4360 wrote to memory of 3420 4360 OpenWith.exe firefox.exe PID 4360 wrote to memory of 3420 4360 OpenWith.exe firefox.exe PID 3420 wrote to memory of 1544 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 1544 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 1544 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 1544 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 1544 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 1544 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 1544 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 1544 3420 firefox.exe firefox.exe PID 3420 wrote to memory of 1544 3420 firefox.exe firefox.exe PID 1544 wrote to memory of 1548 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 1548 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe PID 1544 wrote to memory of 4004 1544 firefox.exe firefox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe"C:\Users\Admin\AppData\Local\Temp\2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exe"2⤵
- Modifies extensions of user files
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Mail\wab.exe"C:\Program Files\Windows Mail\wab.exe" /contact "C:\Users\Admin\Desktop\SetReceive.contact"1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\ExportRestart.ps1"1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\Windows Mail\wab.exe"C:\Program Files\Windows Mail\wab.exe" /contact "C:\Users\Admin\Desktop\SetReceive.contact"1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RenameClose.gif1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4348 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dashost.exedashost.exe {dc77ef7c-e127-4ad8-8dd78579b8371a14}2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\RenameClose.gif"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -url C:\Users\Admin\Desktop\RenameClose.gif3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1544.0.1098629275\1635219366" -parentBuildID 20200403170909 -prefsHandle 1544 -prefMapHandle 1536 -prefsLen 1 -prefMapSize 219987 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1544 "\\.\pipe\gecko-crash-server-pipe.1544" 1616 gpu4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1544.3.601009008\604452957" -childID 1 -isForBrowser -prefsHandle 2208 -prefMapHandle 2120 -prefsLen 156 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1544 "\\.\pipe\gecko-crash-server-pipe.1544" 2228 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1544.13.1005025618\1726196794" -childID 2 -isForBrowser -prefsHandle 3312 -prefMapHandle 3272 -prefsLen 6938 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1544 "\\.\pipe\gecko-crash-server-pipe.1544" 3284 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1544.20.187962951\240577188" -childID 3 -isForBrowser -prefsHandle 4144 -prefMapHandle 4140 -prefsLen 7643 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1544 "\\.\pipe\gecko-crash-server-pipe.1544" 4152 tab4⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\StopDismount.rle"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UpdateNew.inf1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\l1uau-readme.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXEFilesize
328KB
MD52ad11300ea49275e59564dcc2bd96bc0
SHA16a129bfce9c603338b41f11fd6deed77dbf3e0c5
SHA256ecb451deff3384dd3ee5926f56eabc73e1d870831af471efbb03569d0943532a
SHA512a6f7532d62578d408899b54fef7414c457ad2b06af26adfb7aa951c887cae4c878de71effcae37efb24830c82a67fb78c7a736a73bca94a72d302e1e22c4d011
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXEFilesize
86KB
MD5f64e665d716ea45b0703ea1de11ef297
SHA1d16ddbc5431df5ba6ed1b002dd53d8147ae5b92b
SHA256a0edc7f462ca07b88a73150f7e11eda80783265446775759fc5b195407bdb6d6
SHA512b57cb33a9ff9651477b70f1fc03cf713210398625d10e289d3d4513a73d11098217e476824d7f2831c7ee06153798a2cd1550439ba71468e7059175533114f65
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXEFilesize
5.7MB
MD5992d6f805a56370b158a185b5abe0edc
SHA199591536581adb6e818df90f264f2cda88b7ba78
SHA2566b907690201992327a45f2febea403a3d8e501dc830e2b3ebf64394941e976c1
SHA51262485bb5ab474acf7d60c3286775175f0e3d2333014f16e9d9dde50b75872368d0e73e783fea97061ff50785cb037a807ac886fb3a1d902490f906beeef28938
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exeFilesize
175KB
MD5df7bd3cc011f8371c346bb59d7143bcb
SHA1077a9aae9c2a2df960310ac6373b1705cfaaecb2
SHA256a77c0b5b1a0bfb43bf8e80fac5bc3ed45696b74258b45c78999e4bcfba6e0624
SHA512b02999eb265482388fd347ad8b5b61605d6eec7b3dc73c2b6d8615a950f134d878d0629215645faeef8d7931616c24475bc9bc4189832e2c497b9f291384e079
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exeFilesize
9.4MB
MD547f8852fb26d86c9ebb4f38a0bd1cf97
SHA15e24535b7b8a897886d589a8a09fb0a629bfe410
SHA25665e8f0a543b2f8309b14c1aeff6eeac805897efac688d5ef62cdba5f5c96f989
SHA5125b85efd2b01bd7836a98072968011fedbf119a491355657c5cccf127b7a544ae6e75762d297cf7b7f18641677cca88a7b3ae302d55e4fc2b910b905291a8ed21
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exeFilesize
2.4MB
MD5c0200aa7c15d04df7f872cd2e9a81b23
SHA15759ab3b14eb58fdab0dcad355ec9abd5ab9d9aa
SHA256422830b5e359afdf275a8567a29a94fc59727c086c174d7d06b4be97d626743e
SHA5121b88cf6ccde5f4d00a059fff0aa77a494d988c938796769f8a04ab2e7b5e765958ffd1330c7144d978e5eb219b2908f97455a76ba50fec494ace8fe33f3e22dc
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXEFilesize
183KB
MD5f74309765b884a64fda513e318edb0ed
SHA1283691d0f0ef45e0372c209e549233938982f9a1
SHA25608d12ffb1d0dd8c404a54b260006dd5159802be200a4a588c5d144d3e772926e
SHA512d6a31344db1a7e1c5d85935ad783a9e4d299871195555da69b68be1fc296d5dba8387713e1109f32e010d95fcaf6a01acac53773120056c73c8ab2f884c3c2f1
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exeFilesize
131KB
MD5f7a92d34580511b043234a5b84f11444
SHA1194b8918fd020ab9d78fb691d52a63be56dd9fd3
SHA25666884326706f740dc52f57f60dd449e6fa6070389a81fba1522204b26476156c
SHA512295301fd8fad5872a3da5e24e339da7a5b806fed72087e3f4a94705d9bb02cd431b30b53403731774ccd10ec5bb913bbb748985aca76ed76a8d32cee8f312c3f
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXEFilesize
254KB
MD5557816f7189f0526f9d77b1c51376185
SHA1aa67e15ea9e6953f3ea506e7abeb478b783c1ca3
SHA2564d87a6d29ed4e18731ec60112afc5c79a9e5a60030bf5701e4c94527a9914be2
SHA512a88694eb945a7d7d6f9adf30d8916e590398e57f71e2f1f93456fb39a68ca82496f888be2a69151ff901d00a9e7330b7bd28ee36efaf2a42d9921a88f8ffe9a3
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXEFilesize
386KB
MD52ff0923404cabe3fb3c443e119b93b8b
SHA1e0821bcb7c3edf06731c2d721360c0e7670b3f78
SHA25661427a066160e7309339dc99bf890e61118415e2df61e6058250c2b11ecb1959
SHA5126525ce992e3df89bdc1e937699835567456e8c265a95110de7a4676601fc7d30e7a384734b51328c68199281c1cc51e7ddc7ddc4cc6662a7d02298c16b71803b
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXEFilesize
92KB
MD51f3b73c683362ae586e824fa8689fb7e
SHA1c89c488ebf3e3ec4b8bfcb175a306b7f131f3a87
SHA2562cc0a2cae92c77f6f568eae551e4c7776317199c242cd3147df6066677462a77
SHA512ee79e3292d91059c0bfd5e86752f665dcf3ae34686e0dff04d9aaf554e3fbae62402ffa82cc962c8b5ed09aba7c6e63d47545f7984473eedcd531fdbf24ee151
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXEFilesize
147KB
MD5771018b3cd6dc22024f2cb08cd0808cb
SHA1d30dd47a2591868eb4ee1c84fdb6c7086e337a46
SHA2568dd5b825405bb8a0efd872d9af749678f8729beaaefae3d2ae80c9f4716d2fc8
SHA512efaafc3b12ccf94a2d651d90b5983786fb5336768cf8f798bfee33e82e143bcdf28587c2de9c8c0bad805fb03dab3853c7affbb5ea3fe3ac9171c6963942316e
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exeFilesize
125KB
MD58edbf1fb4acace8d61d730229f54916f
SHA17d471f68f54096ba9f24310b3d3baa89bb8c1ff8
SHA256498e0412d3a4506201d377b36739e5221d4c78618c39ba03ce61d581266b6514
SHA512c77832e148f6f632cc3f45f2ffe1b22e1441e61e099a3ee592122684a81d6ccc738ed77d9121ec85e907f11318dd22d8fb27aedf3d1eeaceb370808a550c6623
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXEFilesize
142KB
MD5009714630705298003534ea810df32bf
SHA14e91c9e68d89e4175517b54e5026f800e2fa44bb
SHA256f8740f3106634f193b90e94b971cae1d179a7f43c551e19511634120f5ee5bd1
SHA512d61a00fae6c9172ee4352e9dd0f112ed840e6e5b739b358a2b8eee32d61125b0dd7343f21c42d853ee86deae52efa11a9b5af200eea015846f04a44ebdca7986
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXEFilesize
278KB
MD5e90d354eeefc082ca3cb4a49ee44fff1
SHA12390b65008fc549f934649fc706c49e28fd298ee
SHA256ed4b35011a1d1676cd960ef9d77e7be3ae5fa4fd3af1c3ef2a3ba128b8e28696
SHA512c8c67def52ef15446df09877a344c8770e0a3241e8d13cbb976c812ddd6f6d718470788311c4948b51dc1e0433abc9e034dcd1729ff9fa8880404bdba50404b0
-
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXEFilesize
454KB
MD5a2de7d548b3ad05f6f9ba5b663c9bda6
SHA1680b23eca7a7df91cdc937d727502e883374bc94
SHA25648d35c563c30d8bb2a3b2057db2c15b84c27d70733e2029abfa8b7984e44dc14
SHA512499daae90d8623ae92af8c74b85fd25cbbb65962bbc50aaeead32f4e1fb53a8cc47964be0676a9e1d88b65f86d9f973d0ba47b26eabbcdd65ad71bdcefca2887
-
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exeFilesize
1.2MB
MD5ab66b64277da741b047df1c96b4eb98d
SHA1281479d360c176aca1fba301d297eb6efc30c529
SHA256ed0bd19e845c6e254f51210517feef3f5999d2c2144e2b147e5fd852ca66f2be
SHA51250f07dbe8696142e680defa510b608d36110272fa21b6ce6abae646187f6dc40d4316be935674680f89b2174c25fc34ddb1d6f33cdbeb8687c680ffc8748b161
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exeFilesize
466KB
MD5d57954d76d63b69d1ff82f6e62cee30c
SHA1e58d3135fee95ab2a451a2c40aa725ef1a97dd07
SHA256e4623665eb98736bd9b311fd6400c52382b4b01eed16cc1f4bb213b5c428a9f2
SHA5120d35b2a20c12e03c4ad4f8d046eed632a4343ea9388c17f69a8934afd8a6901be3846bcdeac6c23dff8d6de474972055fd073ad222a51ceb13f6e0d83a61d7b7
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exeFilesize
942KB
MD5fde278d8122d65d91bec21fdd7a14dd4
SHA1f4fa8a22327c290543e871d0ec1f93ee9ec97721
SHA2569d26a6e2760bb199e4ec1b03061567598d96ae8bf6a442d6de6cbab39d4facbe
SHA51261fd330f1a1324cb25655c78a62edb5c866cf6161f09b0428467e2b5d15c3ff20f3fb2bbdf8c3de93e9c081473742b073c0fb09d34dec17166942bd3b7f417ca
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exeFilesize
623KB
MD5de228ae7d0abac4614a534c486263730
SHA13450dd6bfb7eb500b22369536b7c634a662be0dd
SHA256aec6dd055e79907ee30659f0edbb0ba73870c8ac5557d1c0725994c081146689
SHA5129026d6bf66bd1f3fdfa3de7c72bb050e181fb073602adf01342d78ea82dee755217b8a02c59ab121ea8844629a01d9bfda9579f484e199538635fef029a91ebf
-
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEFilesize
121KB
MD5e5d7279cc49074499607c8ac2bc39545
SHA11849dfe7daa4f7fbf756cfb79220bbf7f7fa003c
SHA256525c1dc757d28e4399a1d59161741cc4542f3c6c62a9d73bd9406d5078e0491f
SHA512419e1a5363818ba58e4525c0b30f5089dc1caddfdf9d1688e3cb2ac86db852565fb8f5c121b3f7e7c4c2c7e4306ae49a99dbb424b247fcc44cfbf6047008984b
-
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXEFilesize
138KB
MD5abf3503731e8b1dcb8ebf5ebb42b0088
SHA15bac13ec2fc20fc01c1be716e56b90ce99f92629
SHA256c0883c6d9acf15b8a856b5258f805d88c92642a46c44dcbd81aead5661c8fbc8
SHA5122312a8a51da7e8f1ce4e193574123d934eeb8c9a08371b5d1073cb17aff08d1284584608c1f86a65562cc114589ce9918027394ea06392f1764f2e6e9c1e60a3
-
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXEFilesize
217KB
MD5127fd5947dcc055f56f4ef6e1a6151a5
SHA1be7558609041b78c1c8e336b79f663fe70791d44
SHA2565e468daf840d9297575bcc478213cd77943daf9650c6092f91f5160543f95db3
SHA512a608acffdfd266bf1ae349d91f297cf1012f3e305f62751646cd0e8e6cee868764c033c4b6fe4c4068c4f4e5287218d5d64c8ffb6dcb31c7f95c90801ee09bad
-
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXEFilesize
138KB
MD581bb0569f64eca4e40b809bf7899457a
SHA195744ac57ab51102cd7c290b66a5f5c44109ff2b
SHA2560429992fa7d6b3e009bea26d63f1bf819c36a4be8cb32190e3c1e39039130ef5
SHA512470230042a8fb4b84350c4b49e2d1066ee7686303030c802cf091379fb392ed71cfab329f61724f62e2669fff88a52ef0f80d11c18a75f986f6d15f871f031a4
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEFilesize
191KB
MD5d48cc565d512ea0e558c0d21a4849a56
SHA14de519c0a0999f54d99cba9c068c36551f13eb83
SHA25607342f809065bf6728cdfd3b74be886d89152b4d33cc3b3f11c171d4523be6c8
SHA5125da0271d6e8414a5f14c560f5cc4b47c63e944d1740f9bdc0c79f5721b60ba22c3b151f61e429d9383468c4b7c23140bf7af77f591b42e4868a4cb2a807fb3e2
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXEFilesize
251KB
MD51fd29f8c494f2d87efd392bb3c35252e
SHA12a44e3e9a2a123851c9b29d76952b47efbc0c112
SHA256c49ce4c31f4417fe9a6d75b4e8efa468d428191712ece7076a539709b2adda85
SHA5120eabd05991bafb02f4e26bd7f0010fb8dc7bee62c550405f8206dda430420a5d5fb7a59788a64e8efad5e50e3f7694d965dacf8412e954c757177d6a71f1354d
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXEFilesize
326KB
MD5f98e3b8f66eb9512a7e0977984e5e7f8
SHA1a22ad133ed500134d02ed6bf24dcf18b6bdc1e15
SHA256567a28fb93c1fff70a76e0976aa60b4885cc2cbd6e23a53cc467cc60e63ffae0
SHA51219f97e20d3b0421661e31c0a2665fd696ce60cf21a1b050d234217722b317bcf14640fa7d329e5a4e1a4b2f113484e900742855f23b8b02da1447bc256555cd5
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXEFilesize
404KB
MD5b46611fdf506f65f72b6e60c22d0ab74
SHA1697ff9452c5e8bb07007071e8d1a7c2cd9296533
SHA256a26019853d13156364be913df19d3258323eaae5cab3995e9e613d3ca61beb8b
SHA5122572e8fd91b1d3ecd55d3642ef6260119a8f0f45210e1e858fde930a1d242dbb6a0175fe3194cc7a8bf607278e51454ddcb68f8692ddbd83da5549617c7a1884
-
C:\PROGRA~2\Google\Update\DISABL~1.EXEFilesize
191KB
MD5d48cc565d512ea0e558c0d21a4849a56
SHA14de519c0a0999f54d99cba9c068c36551f13eb83
SHA25607342f809065bf6728cdfd3b74be886d89152b4d33cc3b3f11c171d4523be6c8
SHA5125da0271d6e8414a5f14c560f5cc4b47c63e944d1740f9bdc0c79f5721b60ba22c3b151f61e429d9383468c4b7c23140bf7af77f591b42e4868a4cb2a807fb3e2
-
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXEFilesize
279KB
MD5ab13f381a8f88f0183fccb48005ec571
SHA1e51dde11f01dfc036fafd4333967840334ea62e8
SHA25693e5d8b6dbe29484ea0b6abe87fb06bbe96fcfd49cd9ce8b5a1126f878af5868
SHA512baf5ca21408bb1c2b8091030cd78891d92dc6f94c9ddf410225135e94b0b390449479e3470ce4da0dd53338ce2f663d748d2480b969bc43a653c4a39e46303f9
-
C:\PROGRA~2\MOZILL~1\UNINST~1.EXEFilesize
129KB
MD5b943ccde0451297c4a52d7f52128dc7a
SHA15baa6d32a22432b3d04fa94f78b7d7eda6c72b4a
SHA25679801a8ba8ebafe817050ee69e54724188fadfc7ffac782ee167955ec3cb7d6f
SHA51256ba6b15ad3b40ca50113b0252283f4c0ee4a7fc58293321c44c1764a0ed3d3f4ab334d53fcbd0e093466c9140189384cbb319956b753b070b971639f1e70b01
-
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exeFilesize
494KB
MD5dfae9fe0128a3cf16202da4e07f92f6b
SHA1bd23c6ac66a54dabfb87c8480b94f9320aceb96f
SHA25654576f363d29339c302317a63d0a513e1805cf4076783deda539b0a9e1c4ccdf
SHA5125659c8b3a21202245fc6885b24d07ae3bfa2c19551fa235736eb1702813c156f2a2b92c652c09e25bbe77a7c27b505155dc7e5e9a52dad8cba2a53aa9cf378e9
-
C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEFilesize
6.7MB
MD56e78e577ad35a3bb4356bac7cf2854a6
SHA19f8717a2d899a27e3da947bfc6aedeeec0d68d68
SHA256e4dc3a14a2332ce3dfd1dd03ba4aa01fe19c19c2847c9e2f3351649c880c6925
SHA5127129ccb7acef36aae40dae6d8af25f7459de87355b9951bf39c84ebd5b4086985f4c97fb0c7cea4661df46fddf84f15c303dc0bcd2cca81cff53d460453e14da
-
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
485KB
MD51667041e2660fd5337833e038692714a
SHA1f9876800bac72a8f0246245b74fbdc2893028b7a
SHA25655387def53b316cc240e1b8adeef45a5ffb509ac88c62e3c06c02b710fae4762
SHA5123dce201ebb1408eff937f514e0503d5be033cbb0c67e042fa136d2a2cb7db8d4aa0de8b61b1d7e312a60d94c7a7e0ca55b41569ef4b319b3c045c44c1b1e4b55
-
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXEFilesize
674KB
MD5d05f5c25b66d6321ea7ee1b02cf5e231
SHA19c09485373d0becdbce7c430cf84152edb0aab09
SHA2560e7958fcff9e0cacb5629a0aba2278a1afcdb8bcbc1b2ccf32d5621e2e97b854
SHA5125b29c543d3a237b56e3238cfc428dfc3a94b85499d90648da57bf142201a03977e0e031d9f248555589f78825a98dc78e842cc1b38917666f39e66b18fcf05d1
-
C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
674KB
MD5b382592ef61da60cc4f2bb94becf2077
SHA102ebb03981919cd23dffc378e15bcb858ec73104
SHA256891752e283b2a4490e09f0c0a07f7100b768dc43eed031990d991d4201449c2b
SHA512d7f9f6e06c5dad8887067a929e23aac30e98dec42d176f1f8a309a1304eded98fab904e0fbc12fa7abb22a40217939923132269c348ab4131628323f50b92d5b
-
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
495KB
MD571f6943b845b0f16f2055a40eae6854e
SHA1437cdddc054e9f11c9dfb5fe45aca5be4b993987
SHA2565a9db6933b75160388d1258e8a8e0cc687c3a846fbed3ecf7715766549fc82a1
SHA512d505e7b0605c3169ce71a715928fc4cb79ac266bbb3b09143462cbce0f58bac6deaf1fed64418651ab14bda3da902e2563cf8bb2a20e66c3749b0329ebbed96f
-
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
485KB
MD57ebd44fba8871a5e14092fb1f9d05bb1
SHA1c4e1639e431f9c9058c898e574b24ad33ba290b7
SHA256db27e54f4835715dd4aed1fc482d2d9d564b814da743d1435a95cd0d19f8b941
SHA5123d50f3005b88561c2254c51938e95546ed4e4a9221ead757cb0a8067b60352dc74d395d35bfed7a3965b3c901b6633e8e6140fd0dffa5b2014a96476db8fc8ee
-
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXEFilesize
495KB
MD534cf248013321558d95a58a1d33a00d3
SHA10e94fa1391ad33b1dc3e1a81f83476c0e3b8e41f
SHA25628e85cf418321b5f7898a4c386283ab8d02cf56e6f1ee9d1af192e2222d9f32e
SHA512cf2ae5fab74473be8b5899016415d5599248062a0c4733c0592bf18da5c044d8498dbaa71725f23b544e3d9e5daa396c242e99cd415028ef1f0f86e3c34bd881
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
4KB
MD5f7dcb24540769805e5bb30d193944dce
SHA1e26c583c562293356794937d9e2e6155d15449ee
SHA2566b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
4KB
MD5f7dcb24540769805e5bb30d193944dce
SHA1e26c583c562293356794937d9e2e6155d15449ee
SHA2566b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5f60b261fa864803670980251960b8d45
SHA10423aa6407d944a6f826e8ff197014a75114572b
SHA256e55b79fb46ab833b600da6bcc39eedf6650e6dc890485c85e41e14d11ccd0055
SHA5122e8ba8c5e37d8fa0d26237bac4c47928a28762959bb2873269721c7d9be7b66b10e6d058d9c855486948ee8eb591e5fd3a57fb091e44e4ad16436af74b4da357
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
340B
MD5cee55e0c6d1f84b39afdc8f10226abb9
SHA1a9f6f5de48e0ad0a6718a77b70c19352e89bcaf4
SHA2568343c4cda5a2c892461b046c2eee95afe6ed2e824bbf4a92a2eb5f8c30c60a98
SHA51287e9af19dddd2f84a3f79cf57570c3e7b1242053acc055365ad2f65e6f6375162854ed0c9068eb61d11e581f8f3e4a8436c3417a979e3f94b3c84c967913d1ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
340B
MD567a59bfe296065ced1620f62b6c1c73a
SHA1939f3a241cafb1e310e8cf91b6fc8cc2e197dbd6
SHA256cd250d08ae8f282617a6f24a330e3b9abd5be82f208fb4f25b60044a6d353877
SHA512e3914b43d39ea38736a5f759adb05c47b505ffacf9b482199f3e53a45a87bd3f2a1e93788ab9a17a156daedc4d72ce47f00ee352290d33ad374a56aa598adb84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD552f3576af30da0546971eae0114c79ab
SHA114e8945d09dcb08f568831b298cf243488e9dd20
SHA2567174351b8a4fc73ce5f514169c12cff1756799aa96df1aeac0184c365655864b
SHA5121765208b744030a49d19d669cbc4e98853333f61d5302db682bac8a386dd14a6709d777fd1edaaca6bdbef00a9800274826877d488e549b6a2a213508503bc04
-
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXEFilesize
499KB
MD5905d453a862088233ccf791fd82f3b89
SHA1e6b062b6121bd72d94dd262af13be45441982922
SHA256f8e418429e0aeb63a6466c69e6997e44ceaff3f7ff6edb0d5c0af43b06695dea
SHA512e00088da9157342f8423ea228bc68564392c6cf897771136d3f4ca364a5e1200369a3d9608f01872892074c1dd0a232cee0a17b2befb6cfd445687f5960f1036
-
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXEFilesize
293KB
MD5ae524cfc4fc0db45864ed8e94cb45de7
SHA1a43bdbbbd9fefb10a1ec83637b63385d834abcdd
SHA2567d26826c47dc9bbbcd63454436f8a7769268c925e2d6d7c35a80286abc2d9599
SHA5128bf1121dbe3265563a34990d74c60917cc674361e8b1d9f81491791a22c8c4a487667fd852f3b99eb3ccbd4fdf8651aa3c91d30c94f0b738764193c7664f3c69
-
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXEFilesize
2.4MB
MD5c6689b36f39d3813c630ec0ffb3be5ed
SHA14b70dc7cde84549c5e66ac502a6e4bbdb6789281
SHA256509f6ae9198e25814b9097b19d7f8271baae43e25f420198980b1b4ad5e7c0f9
SHA51244ed7f00494f4d2fa8d0bb5f08943c848a3c6c690371eab9149ea1496106af5123079549a3fd186797d966fb3bf2b9702cbf6f16f2c1187aff2e73a31efeed95
-
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exeFilesize
1.6MB
MD5cf06a58cfebba708b76cda654cf000dd
SHA143e422afda7f75e9855e641c1dd9137496730f88
SHA256f1d846a6e9f0c1ef619a04c9fca1c6fea8a9fd2a022045a1fb9104e5becc8703
SHA512262605d2b5fa6fbc768013ce3c5b60735bfbfebb6243fc4e3f98c6644dd6e222fe425ba77a9affc4c259dba1987830ec903a0b3b27d0802123c5dd7de999ec9a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\T7JFOISB.cookieFilesize
615B
MD538dd984f766f4903540a94d2a836922e
SHA1cdc83f91cf1f9608032e50e7152017096ae3d777
SHA256c22f3b5e88d6ab912031dfab3036b3787e63858cb194b580f5d99ec95e114580
SHA5121fe632b5c5a38427200aa477fa2144ea925e1d6b55c05fc58680ba2dbf3ae1e77232f56cff9a3a5020d023580c3a12862e3a3d737329602e69b1250a268e4e53
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ZJIX01N8.cookieFilesize
615B
MD5f7a88a10874c2d5cba9c6c72e740a92b
SHA122cdc86e22145b80efb2971dc4d50039daa60491
SHA2568b04c28f2800f905f13a5f8d3878de38eddc56611b6f6f2a8cc916df87234465
SHA51266b84358896a9882371529091e41f0ca9d85228a2cd69a767a1532191ddbcd05a8782b0f4d113018b44985ec9cc61a0b4578f216bb304c273ab95c2a49ce8c16
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.logFilesize
512KB
MD5232308f40ec2b42c2ed38e66da4c07f2
SHA1791f66aa3b0ac1d4efaf616da912a9bcca794a98
SHA256658da9be2d22816010696bb1f9f75b83e829de46d258f46812c570b9c0bd820a
SHA51212786c90dddf1fd29c8b6240fe6c2735b2f714771602b68190ee33060ce045ca8819ae17236d76c9eb0950cffa4ff8b77b1c084e77e62b7b842b837d4e83b127
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chkFilesize
8KB
MD542456f8e28b5f63466262853609a9e9f
SHA19f637a30ee0e9b4d6b4395fcaff4fbd9f7bcc0c9
SHA256f1a4346234a5ca356aeb870ddab871a71b07190501403377bdb114efa0f37ed1
SHA512e6956238b4427a3d1d20bcfd9633a086b1aa98908a5f8bd9cc4271229339a23b4e639e46f217d408b8d43fdfed6c674cd80f410bd36841fa2ad655bdc17efe89
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edbFilesize
2.0MB
MD5247c6b8c9b09e4f2422d749592c4f133
SHA15e94390a8a150e1655810f1f8da666098c3d73aa
SHA25642514f4546c4cf3c52400b9402f55e12efa21a3627bccec4ba5d7adfb143ffe3
SHA5125417c5d9b5ffdf57b1e76c161cdcfd4592884e581c615fa148f03e22e7d4b966f75a734f6939cee1f625396d324918bdf60ae87ed8e2855bc2ae890fcf9e6ea4
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfmFilesize
16KB
MD5025d5a53fc7a2bae2729d7674e5550d0
SHA1f4e19c0bf006ec6df33791515875ef0acd8ce777
SHA256160529ba226c76e8876f577d11344fb71ae11af512d1b25b17169cce9aea1597
SHA512e40f9b52378a757001901671d2f21704b9fea10628a2bd5a80a679d90b4bb2a17e12b11431718f92853940038ba29610f19d7ade9d0daabe6a2bf69b20b3a06d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{67F4A512-A504-4858-837E-5F05588D210D}.datFilesize
4KB
MD5f447a90ca6d8ea37d80a37c6c7ea194e
SHA1594ccdf282743e5c815f14ac742cbeef1448fe7d
SHA256c9a4137c5e182703d45c2d624a1eaa9a035d60d1867519b1cd0bdb2a524b4182
SHA5127c1895d450db525cfb53568bad0792302fbec6bdbabeafe43677f2ace31cba6e04b3ac5e55cc1523018bf4a504400d994f27dbd16e6af73ab9d098a4f54a50f2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2219095117.priFilesize
207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exeFilesize
179KB
MD5d0190f94e6d05104977c53b55dbc2911
SHA1c0ff002b0e26b180a741c3cefff15190df7746cc
SHA256f4e5d7a95681d920dda75fe5dd89be249905e2a7712f9b3b39e19351f5ef5e69
SHA512d4b1cc032f9d8254ac6035c27948147d8c4c5f60be51e632ba26c6e34ada87515b3113b4bd1cec3cedfa1a73c465a1267681ca05356d8f2f08d81c4fef04d868
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2023-02-08_69d6f75b8cfd52216a6ff4b0861655ef_neshta_revil_sodinokibi.exeFilesize
179KB
MD5d0190f94e6d05104977c53b55dbc2911
SHA1c0ff002b0e26b180a741c3cefff15190df7746cc
SHA256f4e5d7a95681d920dda75fe5dd89be249905e2a7712f9b3b39e19351f5ef5e69
SHA512d4b1cc032f9d8254ac6035c27948147d8c4c5f60be51e632ba26c6e34ada87515b3113b4bd1cec3cedfa1a73c465a1267681ca05356d8f2f08d81c4fef04d868
-
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmpFilesize
8B
MD57f025521b2d69fa10b63d5815c778088
SHA14ee9938fdd3d65ab0f1fc44bc6c4d9e69c74088d
SHA256aad030ec7a62e88697fb17fc300898b8f0d18b96261c3225efda37b0396f5735
SHA5129f66c9ef69ac83866a1cb836ddc34a6ee6fe9836f3bb513cdd31653c77eb60f46972c8c70b6d6a3f598d9552d53ea294c6ed6cf8461b23d7608c83be8b0767c1
-
C:\Windows\svchost.comFilesize
40KB
MD5f8bb657a6fc0c20225ad5e94276a656a
SHA1a54b415198a6c64ebd84895fc78c544efb3377a8
SHA256b878817c18c7103c4c9b8649cad38b16341232386a29551453193c46703bcb2f
SHA512a7e2a3a0be0d908b03ac47e9a756e0cdd71a5a80486d48907d52ebd276e5ea983f2825390ed37e7c332ed395ac5104a6cd48ff464c2cc3e6338471ea08d78a66
-
C:\Windows\svchost.comFilesize
40KB
MD5f8bb657a6fc0c20225ad5e94276a656a
SHA1a54b415198a6c64ebd84895fc78c544efb3377a8
SHA256b878817c18c7103c4c9b8649cad38b16341232386a29551453193c46703bcb2f
SHA512a7e2a3a0be0d908b03ac47e9a756e0cdd71a5a80486d48907d52ebd276e5ea983f2825390ed37e7c332ed395ac5104a6cd48ff464c2cc3e6338471ea08d78a66
-
C:\odt\OFFICE~1.EXEFilesize
5.1MB
MD535f43ffd6f3e21e90ed23f820c1de339
SHA15510a6a44ac45650a61a2b669c6d00aa83325e44
SHA256718d2e212e6cb08f46e29f32069868c7385321afca989ab1fd06268c287aad7a
SHA512388f6afd13d6050954fa444b653834a3aad14c3b046e8eb1d9fa5ae9a92b98d76ac6fca1c9232369c369b38d08c2916eeda01278437ee841bce6a75b79797f3b
-
memory/2792-153-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-136-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-121-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-122-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-123-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-124-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-125-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-126-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-127-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-128-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-129-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-130-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-131-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-132-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-133-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-134-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-135-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-137-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-138-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-139-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-140-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-141-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-142-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-143-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-144-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-145-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-147-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-161-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-160-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-159-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-158-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-157-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-156-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-155-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-154-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-120-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-152-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-151-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-148-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-150-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-149-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2792-146-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-175-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-185-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-162-0x0000000000000000-mapping.dmp
-
memory/3636-167-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-166-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-168-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-169-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-170-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-172-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-173-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-184-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-174-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-165-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-164-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-176-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-179-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-186-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-178-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-180-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-182-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-181-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-177-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/3636-183-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/4360-261-0x0000000000000000-mapping.dmp
-
memory/4556-389-0x0000000000000000-mapping.dmp
-
memory/4676-268-0x0000000000000000-mapping.dmp
-
memory/4844-226-0x0000000000000000-mapping.dmp