Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:25
Static task
static1
Behavioral task
behavioral1
Sample
DHL __.pdf(1).exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
DHL __.pdf(1).exe
Resource
win10v2004-20241007-en
General
-
Target
DHL __.pdf(1).exe
-
Size
555KB
-
MD5
cd4a9b992171f893ae11fbff7d1b9252
-
SHA1
7fcb6fa46300ee32d6abb30627e841a13e0269bf
-
SHA256
578d694adb18d1dda0ee217c2c08e2e99f5d1bb9bafe6f3962844bbe6e6ebf12
-
SHA512
24aed4844f20d9b025c8f8ee0429bb4f3432573cc08e86e8014cd82d56ed22c1caa7ac4bbaa95ff4790d5240d0641806f44104f65fa2541803d6552ae5745014
-
SSDEEP
6144:thTFzbi0i83BJ5NraUGTRQrFc67uSCLc9aDYU07XbUAWAVf:DJq0i83B3la7GYDVaXDVf
Malware Config
Extracted
sodinokibi
30
97
sytzedevries.com
druktemakersheerenveen.nl
energosbit-rp.ru
business-basic.de
acibademmobil.com.tr
leansupremegarcinia.net
worldproskitour.com
shortsalemap.com
pansionatblago.ru
humanviruses.org
ya-elka.ru
block-optic.com
silkeight.com
carmel-york.com
unexplored.gr
hotjapaneselesbian.com
forextimes.ru
avisioninthedesert.com
agenceassemble.fr
keyboardjournal.com
omnicademy.com
nginx.com
bodet150ans.com
hostaletdelsindians.es
blueridgeheritage.com
richardiv.com
adedesign.com
keuken-prijs.nl
jmmartinezilustrador.com
lumturo.academy
gaearoyals.com
reizenmetkinderen.be
diverfiestas.com.es
thepixelfairy.com
theboardroomafrica.com
brisbaneosteopathic.com.au
specialtyhomeservicesllc.com
greenrider.nl
fire-space.com
jobscore.com
airserviceunlimited.com
activeterroristwarningcompany.com
o2o-academy.com
tatyanakopieva.ru
5pointpt.com
letsstopsmoking.co.uk
the5thquestion.com
bourchier.org
dmlcpa.com
lovetzuchia.com
groovedealers.ru
liveyourheartout.co
grupoexin10.com
istantidigitali.com
turing.academy
avtoboss163.ru:443
drvoip.com
dentourage.com
sharonalbrightdds.com
gardenpartner.pl
nvisionsigns.com
asiaartgallery.jp
jag.me
skolaprome.eu
anleggsregisteret.no
teethinadaydentalimplants.com
spartamovers.com
prodentalblue.com
carsten.sparen-it.de
mrkluttz.com
pajagus.fr
advanced-removals.co.uk
trevi-vl.ru
dierenambulancealkmaar.nl
radishallgood.com
fta-media.com
myplaywin3.com
kartuindonesia.com
apmollerpension.com
tanatek.com
cp-bap.de
eshop.design
brighthillgroup.com
toranjtuition.org
distrifresh.com
fascaonline.com
cardsandloyalty.com
watchsale.biz
ilovefullcircle.com
mazzaropi.com.br
ziliak.com
rhino-turf.com
geoweb.software
hameghlim.com
johnkoen.com
riffenmattgarage.ch
bohrlochversicherung.info
motocrosshideout.com
hiddensee-buhne11.de
omegamarbella.com
memphishealthandwellness.com
geitoniatonaggelon.gr
angeleyezstripclub.com
dogsunlimitedguide.com
qrs-international.com
dinedrinkdetroit.com
hoteltantra.com
kelsigordon.com
nutriwell.com.sg
ced-elec.com
schluesseldienste-hannover.de
k-zubki.ru
chorusconsulting.net
ludoil.it
mollymccarthydesign.com
fidelitytitleoregon.com
powershell.su
michaelfiegel.com
nicksrock.com
vapiano.fr
biblica.com
renehartman.nl
switch-made.com
xn--80addfr4ahr.dp.ua
cac2040.com
birthplacemag.com
basindentistry.com
fysiotherapierijnmond.nl
leadforensics.com
creohn.de
noda.com.ua
lmmont.sk
airvapourbarrier.com
bagaholics.in
thisprettyhair.com
signamedia.de
skooppi.fi
mariamalmahdi.com
greeneyetattoo.com
jimprattmediations.com
bertbutter.nl
michal-s.co.il
smartmind.net
iron-mine.ru
augen-praxisklinik-rostock.de
iactechnologies.net
salonlamar.nl
jayfurnitureco.com
wrinstitute.org
veggienessa.com
baikalflot.ru
adabible.org
delegationhub.com
soncini.ch
georgemuncey.com
hekecrm.com
kemtron.fr
logosindustries.com
lookandseen.com
buffdaddyblog.com
relevantonline.eu
redpebblephotography.com
skidpiping.de
jglconsultancy.com
90nguyentuan.com
shortysspices.com
yvesdoin-aquarelles.fr
nevadaruralhousingstudies.org
amelielecompte.wordpress.com
arthakapitalforvaltning.dk
skyscanner.ro
rarefoods.ro
blucamp.com
zealcon.ae
mangimirossana.it
amyandzac.com
metcalfe.ca
smartworkplaza.com
guohedd.com
akcadagofis.com
drnelsonpediatrics.com
charlesfrancis.photos
weddingceremonieswithtim.com
bcabattoirs.org
four-ways.com
insane.agency
chris-anne.com
fskhjalmar.se
altocontatto.net
cymru.futbol
bubbalucious.com
alnectus.com
directique.com
mazift.dk
neolaiamedispa.com
mieleshopping.it
entdoctor-durban.com
lesyeuxbleus.net
itheroes.dk
craftingalegacy.com
sycamoregreenapts.com
broccolisoep.nl
mondolandscapes.com
andermattswisswatches.ch
nepal-pictures.com
afbudsrejserallinclusive.dk
aidanpublishing.co.uk
11.in.ua
sealgrinderpt.com
alpesiberie.com
the-beauty-guides.com
perfectgrin.com
krishnabrawijaya.com
gazelle-du-web.com
oexebusiness.com
whoopingcrane.com
nalliasmali.net
buzzneakers.com
cssp-mediation.org
clemenfoto.dk
reputation-medical.online
andreaskildegaard.dk
malevannye.ru
ivancacu.com
spacebel.be
cops4causes.org
glennverschueren.be
adaduga.info
innervisions-id.com
animation-pro.co.uk
aoyama.ac
aciscomputers.com
bajova.sk
cascinarosa33.it
trainiumacademy.com
tages-geldvergleich.de
casinodepositors.com
rivermusic.nl
digitale-elite.de
eatyoveges.com
almamidwifery.com
log-barn.co.uk
projektparkiet.pl
barbaramcfadyenjewelry.com
schulz-moelln.de
hensleymarketing.com
gta-jjb.fr
abulanov.com
skyboundnutrition.co.uk
jaaphoekzema.nl
mslp.org
curtsdiscountguns.com
ownidentity.com
morgansconsult.com
poems-for-the-soul.ch
selected-minds.de
cc-experts.de
koncept-m.ru
rtc24.com
look.academy
latableacrepes-meaux.fr
cincinnatiphotocompany.org
boloria.de
irizar.com
louiedager.com
ruggestar.ch
peppergreenfarmcatering.com.au
goddardleadership.org
rino-gmbh.com
customroasts.com
lassocrm.com
theintellect.edu.pk
alaskaremote.com
elex.is
parseport.com
thegrinningmanmusical.com
makingmillionaires.net
2020hindsight.info
nepressurecleaning.com
legundschiess.de
charlottelhanna.com
triplettabordeaux.fr
utilisacteur.fr
optigas.com
jameswilliamspainting.com
zumrutkuyutemel.com
factorywizuk.com
awaisghauri.com
yayasanprimaunggul.org
speiserei-hannover.de
fsbforsale.com
mahikuchen.com
narca.net
easydental.ae
1deals.com
domaine-des-pothiers.com
mercadodelrio.com
fann.ru
lovcase.com
otpusk.zp.ua
enews-qca.com
premier-iowa.com
ledyoucan.com
innovationgames-brabant.nl
wademurray.com
rvside.com
oro.ae
alisodentalcare.com
mursall.de
oncarrot.com
moira-cristescu.com
buonabitare.com
ramirezprono.com
rapid5kloan.org
startuplive.org
alattekniksipil.com
ygallerysalonsoho.com:443
pinthelook.com
khtrx.com
bayshoreelite.com
janmorgenstern.com
kdbrh.com
bilius.dk
stoneridgemontessori.com
wordpress.idium.no
colored-shelves.com
hutchstyle.co.uk
deziplan.ru
finsahome.co.uk
factoriareloj.com
pilotgreen.com
subquercy.fr
anchelor.com
bakingismyyoga.com
triavlete.com
fitnessblenderstory.com
hartofurniture.com
bratek-immobilien.de
a-zpaperwork.eu
redctei.co
p-ride.live
acornishstudio.co.uk
teamsegeln.ch
production-stills.co.uk
quitescorting.com
bellesiniacademy.org
janellrardon.com
iexpert99.com
agriturismocastagneto.it
hotelturbo.de
campusce.com
dcc-eu.com
heuvelland-oaze.nl
orchardbrickwork.com
rizplakatjaya.com
burg-zelem.de
imaginekithomes.co.nz
pokemonturkiye.com
napisat-pismo-gubernatoru.ru:443
9nar.com
margaretmcshane.com
bonitabeachassociation.com
littlesaints.academy
globalcompliancenews.com
zwemofficial.nl
metriplica.academy
davedavisphotos.com
raeoflightmusic.com
catering.com
brannbornfastigheter.se
wribrazil.com
jdscenter.com
belofloripa.be
efficiencyconsulting.es
prometeyagro.com.ua
saboboxtel.uk
monstarrsoccer.com
jlwilsonbooks.com
mamajenedesigns.com
motocrossplace.co.uk
shrinkingplanet.com
protoplay.ca
jobstomoveamerica.org
pays-saint-flour.fr
animalfood-online.de
modamarfil.com
onlinemarketingsurgery.co.uk
forumsittard.nl
parksideseniorliving.net
kryddersnapsen.dk
jalkapuu.net
goodboyscustom.com
queertube.net
kookooo.com
b3b.ch
chatterchatterchatter.com
ox-home.com
karelinjames.com
premiumweb.com.ua:443
from02pro.com
pixelhealth.net
banukumbak.com
awaitspain.com
laylavalentine.com
explora.nl
profibersan.com
wasnederland.nl
campinglaforetdetesse.com
greatofficespaces.net
primemarineengineering.com
belinda.af
bjornvanvulpen.nl
der-stempelking.de
k-v-f.de
fotoslubna.com
sjtpo.org
uncensoredhentaigif.com
alabamaroofingllc.com
artvark.nl
yourhappyevents.fr
brinkdoepke.eu
skoczynski.eu
jollity.hu
topautoinsurers.net
glas-kuck.de
subyard.com
harleystreetspineclinic.com
fluzfluzrewards.com
the-cupboard.co.uk
kroophold-sjaelland.dk
zuerich-umzug.ch
mediogiro.com.ar
alharsunindo.com
galatee-couture.com
espaciopolitica.com
zorgboerderijravensbosch.nl
paardcentraal.nl
mayprogulka.ru
acumenconsultingcompany.com
smartercashsystem.com
annenymus.com
palmenhaus-erfurt.de
laaisterplakky.nl
markseymourphotography.co.uk
phukienbepthanhdat.com
smartspeak.com
terraflair.de
sachainchiuk.com
bruut.online
coachpreneuracademy.com
qandmmusiccenter.com
dnqa.co.uk
beandrivingschool.com.au
julielusktherapy.com
eyedoctordallas.com
dr-vita.de
rishigangoly.com
rsidesigns.com
rubyaudiology.com
deduktia.fi
stitch-n-bitch.com
egpu.fr
tradenavigator.ch
wg-heiligenstadt.de
tramadolhealth.com
billigeflybilletter.dk
chomiksy.net
licensed-public-adjuster.com
kenmccallum.com
bulyginnikitav.000webhostapp.com
line-x.co.uk
profiz.com
ijsselbeton.nl
supercarhire.co.uk
paradigmlandscape.com
internestdigital.com
eastgrinsteadwingchun.com
fotoeditores.com
proffteplo.com
foerderverein-vatterschule.de
affligemsehondenschool.be
piestar.com
askstaffing.com
fanuli.com.au
mariannelemenestrel.com
tilldeeke.de
direitapernambuco.com
pankiss.ru
walterman.es
funworx.de
die-immo-agentur.de
precisetemp.com
physio-lang.de
graygreenbiomedservices.com
happylublog.wordpress.com
skinkeeper.li
oraweb.net
stage-infirmier.fr
bd2fly.com
happycatering.de
kellengatton.com
osn.ro
thestudio.academy
eksperdanismanlik.com
auto-opel.ro
pedmanson.com
lifeinbreaths.com
lyricalduniya.com
envomask.com
midwestschool.org
ayudaespiritualtamara.com
stagefxinc.com
hm-com.com
computer-place.de
soundseeing.net
jefersonalessandro.com
lisa-poncon.fr
thenalpa.com
condormobile.fr
miscbo.it
scentedlair.com
epicjapanart.com
speakaudible.com
descargandoprogramas.com
mind2muscle.nl
frimec-international.es
avis.mantova.it
luvinsburger.fr
hawaiisteelbuilding.com
saberconcrete.com
kafkacare.com
internalresults.com
furland.ru
penumbuhrambutkeiskei.com
unislaw-narty.pl
marcandy.com
hepishopping.com
carolynfriedlander.com
opt4cdi.com
tastevirginia.com
brownswoodblog.com
larchwoodmarketing.com
texanscan.org
magrinya.net
edrickennedymacfoy.com
circlecitydj.com
witraz.pl
mgimalta.com
kerstliedjeszingen.nl
ravage-webzine.nl
lunoluno.com
ahgarage.com
galaniuklaw.com
frameshift.it
kompresory-opravy.com
pazarspor.org.tr
billscars.net
zdrowieszczecin.pl
spectamarketingdigital.com.br
mbuildinghomes.com
levencovka.ru
tothebackofthemoon.com
gratiocafeblog.wordpress.com
evsynthacademy.org
ideamode.com
cmeow.com
masecologicos.com
bg.szczecin.pl
azerbaycanas.com
tutvracks.com
dreamvoiceclub.org
flossmoordental.com
letterscan.de
bookingwheel.com
designimage.ae
mneti.ru
yourcosmicbeing.com
purepreprod4.com
go.labibini.ch
sellthewrightway.com
mrcar.nl
chinowarehousespace.com
breathebettertolivebetter.com
gosouldeep.com
promus.ca
matteoruzzaofficial.com
global-migrate.com
bodymindchallenger.com
agrifarm.dk
peninggibadan.co.id
cesep2019.com
tbalp.co.uk
artcase.pl
jandhpest.com
web865.com
kristianboennelykke.dk
electricianul.com
hvitfeldt.dk
amco.net.au
adterium.com
oportowebdesign.com
thehovecounsellingpractice.co.uk
cuadc.org
fi-institutionalfunds.com
transifer.fr
livedeveloper.com
karmeliterviertel.com
forskolinslimeffect.net
santastoy.store
loysonbryan.com
levelseven.be
endlessrealms.net
invela.dk
kosten-vochtbestrijding.be
antesacademy.it
voice2biz.com
leijstrom.com
cap29010.it
vitormmcosta.com
rokthetalk.com
hostastay.com
inewsstar.com
wallflowersandrakes.com
centuryvisionglobal.com
bridalcave.com
ufovidmag.com
ntinasfiloxenia.gr
etgdogz.de
werkzeugtrolley.net
jobkiwi.com.ng
clinic-beethovenstrasse-ag.ch
husetsanitas.dk
kuriero.pro
finnergo.eu
topvijesti.net
ultimatelifesource.com
unboxtherapy.site
perceptdecor.com
zaczytana.com
enactusnhlstenden.com
rename.kz
dinecorp.com
catchup-mag.com
devplus.be
haus-landliebe.de
linearete.com
initconf.com
altitudeboise.com
bescomedical.de
berdonllp.com
scholarquotes.com
bychowo.pl
metallbau-hartmann.eu
sppdstats.com
agendatwentytwenty.com
xtensifi.com
marmarabasin.com
reygroup.pt
ketomealprep.academy
johnstonmingmanning.com
landgoedspica.nl
sochi-okna23.ru
lagschools.ng
wineandgo.hu
satoblog.org
slotenmakerszwijndrecht.nl
wirmuessenreden.com
lattalvor.com
triplettagaite.fr
webforsites.com
3daywebs.com
imagine-entertainment.com
molade.nl
aberdeenartwalk.org
ceocenters.com
bendel-partner.de
newonestop.com
thiagoperez.com
boyfriendsgoal.site
nykfdyrehospital.dk
buerocenter-butzbach-werbemittel.de
cleanroomequipment.ie
mindfuelers.com
photographycreativity.co.uk
palema.gr
craftstone.co.nz
putzen-reinigen.com
ocduiblog.com
site.markkit.com.br
patassociation.com
ncjc.ca
xn--80abehgab4ak0ddz.xn--p1ai
pinkxgayvideoawards.com
allinonecampaign.com
leopoldineroux.com
christianscholz.de
awag-blog.de
rs-danmark.dk
imajyuku-sozoku.com
gavelmasters.com
muller.nl
aheadloftladders.co.uk
testitjavertailut.net
expohomes.com
gsconcretecoatings.com
vitoriaecoturismo.com.br
datatri.be
nxtstg.org
duthler.nl
leloupblanc.gr
justaroundthecornerpetsit.com
alcye.com
eafx.pro
ebible.co
biketruck.de
sbit.ag
encounter-p.net
handyman-silkeborg.dk
tellthebell.website
ikadomus.com
mrmac.com
mac-computer-support-hamburg.de
muni.pe
annida.it
mike.matthies.de
bavovrienden.nl
angelika-schwarz.com
sveneulberg.de
klapanvent.ru
livelai.com
globalskills.pt
baita.ac
biodentify.ai
denhaagfoodie.nl
cookinn.nl
autoteamlast.de
heimdalbygg.no
citydogslife.com
hypogenforensic.com
dieetuniversiteit.nl
pro-gamer.pl
innersurrection.com
lgiwines.com
lashandbrowenvy.com
wyreforest.net
valiant-voice.com
onesynergyinternational.com
springfieldplumbermo.com
sarahspics.co.uk
axisoflove.org:443
photonag.com
theater-lueneburg.de
christopherhannan.com
lsngroupe.com
janasfokus.com
catalyseurdetransformation.com
stralsund-ansichten.de
dantreranch.com
albcleaner.fr
strauchs-wanderlust.info
alexwenzel.de
oththukaruva.com
g2mediainc.com
mediahub.co.nz
pharmeko-group.com
towelroot.co
framemyballs.com
luvbec.com
sweetz.fr
teutoradio.de
ciga-france.fr
rattanwarehouse.co.uk
dentalcircle.com
akwaba-safaris.com
opticahubertruiz.com
comoserescritor.com
aceroprime.com
pxsrl.it
suonenjoen.fi
gatlinburgcottage.com
andrealuchesi.it
vipcarrental.ae
yuanshenghotel.com
concontactodirecto.com
taulunkartano.fi
kombi-dress.com
parisschool.ru
aquacheck.co.za
katherinealy.com
slotspinner.com
bmw-i-pure-impulse.com
mjk.digital
alene.co
outstandingminialbums.com
donau-guides.eu
atma.nl
saint-malo-developpement.fr
myfbateam.com
volta.plus
nbva.co.uk
richardmaybury.co.uk
hospitalitytrainingsolutions.co.uk
onlinetvgroup.com
nrgvalue.com
ikzoekgod.be
solidhosting.nl
cmascd.com
drbrianhweeks.com
elliemaccreative.wordpress.com
tecleados.com
rolleepollee.com
amorbellezaysalud.com
arabianmice.com
campusescalade.com
schroederschoembs.com
mikegoodfellow.co.uk
hinotruckwreckers.com.au
signededenroth.dk
rozmata.com
trivselsguide.dk
floweringsun.org
zinnystar.com
frankgoll.com
stathmoulis.gr
collegetennis.info
nationnewsroom.com
ilveshistoria.com
advesa.com
jeanmonti.com
stressreliefadvice.com
juergenblaetz.de
chainofhopeeurope.eu
domilivefurniture.com
placermonticello.com
welovecustomers.fr
breakluckrecords.com
matthieupetel.fr
verbouwingsdouche.nl
mariajosediazdemera.com
thegetawaycollective.com
xn--ziinoapte-6ld.ro
thesilkroadny.com
babysitting-hk.helpergo.co
dibli.store
ninjaki.com
interlinkone.com
ronielyn.com
aslog.fr
dennisverschuur.com
agora-collectivites.com
suitesartemis.gr
betterce.com
kryptos72.com
bcmets.info
traitware.com
jlgraphisme.fr
randyabrown.com
sber-biznes.com
fazagostar.co
slideevents.be
solutionshosting.co.uk
rossomattonecase.it
jax-interim-and-projectmanagement.com
blavait.fr
vvego.com
natturestaurante.com.br
fixx-repair.com
johnsonweekly.com
racefietsenblog.nl
vedsegaard.dk
plbinsurance.com
ykobbqchicken.ca
malzomattalar.com
vdolg24.online
naukaip.ru
simpleitsolutions.ch
5thactors.com
drbenveniste.com
hostingbangladesh.net
therapybusinessacademy.com
hawthornsretirement.co.uk
goodherbalhealth.com
eos-horlogerie.com
nuohous.com
dayenne-styling.nl
publicompserver.de
arearugcleaningnyc.com
uci-france.fr
cl0nazepamblog.com
mindsparkescape.com
manzel.tn
advancedeyecare.com
nauticmarine.dk
test-teleachat.fr
golfclublandgoednieuwkerk.nl
kiraribeaute-nani.com
maxcube24.com.ua
gbk-tp1.de
renderbox.ch
claudiakilian.de
secrets-clubs.co.uk
c-sprop.com
scietech.academy
rentsportsequip.com
indiebizadvocates.org
ronaldhendriks.nl
universelle.fr
atrgroup.it
stanleyqualitysystems.com
acb-gruppe.ch
cainlaw-okc.com
beauty-traveller.com
pureelements.nl
kickittickets.com
csaballoons.com
azloans.com
mundo-pieces-auto.fr
maryairbnb.wordpress.com
ddmgen.com
operativadigital.com
studionumerik.fr
silverbird.dk
mesajjongeren.nl
citiscapes-art.com
diakonie-weitramsdorf-sesslach.de
bluetenreich-brilon.de
eventosvirtualesexitosos.com
polynine.com
chatberlin.de
grancanariaregional.com
voetbalhoogeveen.nl
bundan.com
hnkns.com
netadultere.fr
olry-cloisons.fr
bumbipdeco.site
fridakids.com
gurutechnologies.net
holocine.de
jacquesgarcianoto.com
baumfinancialservices.com
leatherjees.com
eurethicsport.eu
ingresosextras.online
alltagsrassismus-entknoten.de
arazi.eus
sprintcoach.com
pourlabretagne.bzh
billyoart.com
aktivfriskcenter.se
apiarista.de
scotlandsroute66.co.uk
metroton.ru
dentallabor-luenen.de
liepertgrafikweb.at
nieuwsindeklas.be
neonodi.be
the3-week-diet.net
linkbuilding.life
qwikcoach.com
endstarvation.com
atelierkomon.com
tweedekansenloket.nl
o90.dk
kamin-somnium.de
denverwynkoopdentist.com
cormanmarketing.com
professionetata.com
cyberpromote.de
rhino-storage.co.uk
fla.se
angelsmirrorus.com
bluemarinefoundation.com
successcolony.com.ng
t3brothers.com
m2graph.fr
jonnyhooley.com
apogeeconseils.fr
advance-refle.com
richardkershawwines.co.za
tieronechic.com
tchernia-conseil.fr
theatre-embellie.fr
hom-frisor.dk
pubcon.com
craftron.com
docarefoundation.org
epsondriversforwindows.com
nexstagefinancial.com
xrresources.com
limmortelyouth.com
martinipstudios.com
kvetymichalovce.sk
jakubrybak.com
smarttourism.academy
corporacionrr.com
stabilisateur.fr
sambaglow.com
lidkopingsnytt.nu
boomerslivinglively.com
so-sage.fr
girlish.ae
auberives-sur-vareze.fr
rechtenplicht.be
edvestors.org
111firstdelray.com
phoenixcrane.com
martha-frets-ceramics.nl
n-newmedia.de
glende-pflanzenparadies.de
pvandambv.nl
banksrl.co.za
goeppinger-teppichreinigung.de
lexced.com
pisofare.co
tetameble.pl
parentsandkids.com
liverpoolabudhabi.ae
sunsolutions.es
magnetvisual.com
tzn.nu
haard-totaal.nl
astrographic.com
lapponiasafaris.com
baptistdistinctives.org
molinum.pt
latteswithleslie.com
lollachiro.com
bluelakevision.com
yournextshoes.com
achetrabalhos.com
brunoimmobilier.com
victorvictoria.com
mustangmarketinggroup.com
futurenetworking.com
cxcompany.com
devus.de
paprikapod.com
focuskontur.com
benchbiz.com
housesofwa.com
fbmagazine.ru
mediabolmong.com
oscommunity.de
cotton-avenue.co.il
ncn.nl
schlagbohrmaschinetests.com
patriotcleaning.net
sshomme.com
stringnosis.academy
loparnille.se
crestgood.com
tesisatonarim.com
bringmehope.org
spirello.nl
medicalsupportco.com
grafikstudio-visuell.de
sololibrerie.it
palmecophilippines.com
rentingwell.com
singletonfinancial.com
daveystownhouse.com
techybash.com
agencewho-aixenprovence.fr
mensemetgesigte.co.za
alwaysdc.com
elitkeramika-shop.com.ua
limounie.com
circuit-diagramz.com
nourella.com
xn--billigafrgpatroner-stb.se
min-virksomhed.dk
kausette.com
-
net
true
-
pid
30
-
prc
mysqld_nt.exe
dbsnmp.exe
ocssd.exe
sqlwriter.exe
winword.exe
oracle.exe
thunderbird.exe
mysqld_opt.exe
agntsvc.exe
excel.exe
ocautoupds.exe
encsvc.exe
infopath.exe
mspub.exe
msaccess.exe
steam.exe
sqlservr.exe
dbeng50.exe
sqlbrowser.exe
onenote.exe
firefoxconfig.exe
mydesktopqos.exe
thebat64.exe
xfssvccon.exe
synctime.exe
ocomm.exe
powerpnt.exe
tbirdconfig.exe
sqbcoreservice.exe
mysqld.exe
visio.exe
wordpad.exe
mydesktopservice.exe
isqlplussvc.exe
sqlagent.exe
thebat.exe
outlook.exe
msftesql.exe
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
97
Extracted
C:\Users\iey029hmi-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B805D138AD2CF8B3
http://decryptor.top/B805D138AD2CF8B3
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: DHL __.pdf(1).exe File opened (read-only) \??\U: DHL __.pdf(1).exe File opened (read-only) \??\W: DHL __.pdf(1).exe File opened (read-only) \??\X: DHL __.pdf(1).exe File opened (read-only) \??\Y: DHL __.pdf(1).exe File opened (read-only) \??\M: DHL __.pdf(1).exe File opened (read-only) \??\H: DHL __.pdf(1).exe File opened (read-only) \??\L: DHL __.pdf(1).exe File opened (read-only) \??\O: DHL __.pdf(1).exe File opened (read-only) \??\Z: DHL __.pdf(1).exe File opened (read-only) \??\D: DHL __.pdf(1).exe File opened (read-only) \??\F: DHL __.pdf(1).exe File opened (read-only) \??\B: DHL __.pdf(1).exe File opened (read-only) \??\I: DHL __.pdf(1).exe File opened (read-only) \??\J: DHL __.pdf(1).exe File opened (read-only) \??\N: DHL __.pdf(1).exe File opened (read-only) \??\P: DHL __.pdf(1).exe File opened (read-only) \??\R: DHL __.pdf(1).exe File opened (read-only) \??\S: DHL __.pdf(1).exe File opened (read-only) \??\E: DHL __.pdf(1).exe File opened (read-only) \??\G: DHL __.pdf(1).exe File opened (read-only) \??\K: DHL __.pdf(1).exe File opened (read-only) \??\T: DHL __.pdf(1).exe File opened (read-only) \??\V: DHL __.pdf(1).exe File opened (read-only) \??\A: DHL __.pdf(1).exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3vlq7r5royz.bmp" DHL __.pdf(1).exe -
Drops file in Program Files directory 47 IoCs
description ioc Process File opened for modification \??\c:\program files\BlockRedo.ttf DHL __.pdf(1).exe File opened for modification \??\c:\program files\UnregisterPush.wmv DHL __.pdf(1).exe File created \??\c:\program files\a73a6b0b.lock DHL __.pdf(1).exe File opened for modification \??\c:\program files\ClearSkip.html DHL __.pdf(1).exe File opened for modification \??\c:\program files\ConnectAdd.midi DHL __.pdf(1).exe File opened for modification \??\c:\program files\ProtectJoin.tif DHL __.pdf(1).exe File opened for modification \??\c:\program files\ReceiveRestore.rmi DHL __.pdf(1).exe File opened for modification \??\c:\program files\RepairEdit.wvx DHL __.pdf(1).exe File opened for modification \??\c:\program files\UpdateSwitch.odt DHL __.pdf(1).exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\iey029hmi-readme.txt DHL __.pdf(1).exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\a73a6b0b.lock DHL __.pdf(1).exe File created \??\c:\program files (x86)\iey029hmi-readme.txt DHL __.pdf(1).exe File created \??\c:\program files (x86)\a73a6b0b.lock DHL __.pdf(1).exe File opened for modification \??\c:\program files\JoinRestart.wmv DHL __.pdf(1).exe File opened for modification \??\c:\program files\PingSubmit.ttf DHL __.pdf(1).exe File opened for modification \??\c:\program files\TraceBlock.mp4 DHL __.pdf(1).exe File created \??\c:\program files\iey029hmi-readme.txt DHL __.pdf(1).exe File opened for modification \??\c:\program files\ResumeReceive.wmf DHL __.pdf(1).exe File opened for modification \??\c:\program files\WaitDismount.rle DHL __.pdf(1).exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\a73a6b0b.lock DHL __.pdf(1).exe File opened for modification \??\c:\program files\ClearJoin.snd DHL __.pdf(1).exe File opened for modification \??\c:\program files\ConnectRequest.iso DHL __.pdf(1).exe File opened for modification \??\c:\program files\PopMount.xla DHL __.pdf(1).exe File opened for modification \??\c:\program files\ReceiveWatch.wav DHL __.pdf(1).exe File opened for modification \??\c:\program files\ResolveUnlock.wmf DHL __.pdf(1).exe File opened for modification \??\c:\program files\StartRename.mpeg DHL __.pdf(1).exe File created \??\c:\program files (x86)\microsoft sql server compact edition\iey029hmi-readme.txt DHL __.pdf(1).exe File opened for modification \??\c:\program files\InitializeApprove.emz DHL __.pdf(1).exe File opened for modification \??\c:\program files\InvokeExit.cfg DHL __.pdf(1).exe File opened for modification \??\c:\program files\MoveSave.midi DHL __.pdf(1).exe File opened for modification \??\c:\program files\RepairWait.xlt DHL __.pdf(1).exe File opened for modification \??\c:\program files\SetAdd.xla DHL __.pdf(1).exe File opened for modification \??\c:\program files\StepUse.crw DHL __.pdf(1).exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\iey029hmi-readme.txt DHL __.pdf(1).exe File opened for modification \??\c:\program files\CompleteWait.ttf DHL __.pdf(1).exe File opened for modification \??\c:\program files\GrantClear.M2V DHL __.pdf(1).exe File opened for modification \??\c:\program files\InvokeGroup.rmi DHL __.pdf(1).exe File opened for modification \??\c:\program files\OpenBlock.pptm DHL __.pdf(1).exe File opened for modification \??\c:\program files\OutMeasure.svgz DHL __.pdf(1).exe File opened for modification \??\c:\program files\BlockExpand.ogg DHL __.pdf(1).exe File opened for modification \??\c:\program files\ClearSend.contact DHL __.pdf(1).exe File opened for modification \??\c:\program files\CompressSearch.xlsx DHL __.pdf(1).exe File opened for modification \??\c:\program files\ConvertToSplit.snd DHL __.pdf(1).exe File opened for modification \??\c:\program files\DenyGroup.otf DHL __.pdf(1).exe File opened for modification \??\c:\program files\ImportSave.MTS DHL __.pdf(1).exe File opened for modification \??\c:\program files\RestoreDisconnect.au3 DHL __.pdf(1).exe File created \??\c:\program files (x86)\microsoft sql server compact edition\a73a6b0b.lock DHL __.pdf(1).exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_765b17a2c56f9155_pad.inf_dbf42768 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-ndis_31bf3856ad364e35_6.1.7601.17514_none_05ed313632ae9759_ndis.sys_e2e1846f DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ng-spooler-splwow64_31bf3856ad364e35_6.1.7601.17514_none_25d05769a8973724.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_90082f740162cae1.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.17514_none_c1518e03472df852.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_ecfd9826ce3001e7.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_vgasysr.fon_af0ffe9e DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..rk-msimtf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_40f3084378f264ba_msimtf.dll.mui_e40b8b25 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_nb-no_1d6cc00f7f128cc9.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0c87415f91a2fd6b.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-e..orerframe.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e89294b2fdfa6c6f_explorerframe.dll.mui_074caeb5 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml30.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9fd3daa29505fb3c.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-sxssrv_31bf3856ad364e35_6.1.7600.16385_none_bc7acb14d0edfca2.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0eaa73e1c56d6827.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_de-de_227521a01b1e0f11_unlodctr.exe.mui_53acc4d0 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c9e31697c5d34471_psbase.dll.mui_c28690ab DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..ineclient.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4c5c5f0b3e948403.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_de-de_008abe00ec7ed418.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f223af4916b0f0f3.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f01edf2c50177479_kernel32.dll.mui_c29170cd DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0dcaa2ad5c24a80_lodctr.exe.mui_4ac7d1a1 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-courier_31bf3856ad364e35_6.1.7600.16385_none_5283fef09ca6fa1a_courer.fon_792fc669 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-pcw_31bf3856ad364e35_6.1.7600.16385_none_0c06880570316dc3.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3de2b918dd486536.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a32fbc5b737d33de_kernel32.dll.mui_c29170cd DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c00c27bdb90841b1_credui.dll.mui_34721171 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-gdi32_31bf3856ad364e35_6.1.7601.17514_none_b7a4af6b5ff115ac.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4e23429b0fff2c9.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_7019de43f9e3a677_lodctr.exe.mui_4ac7d1a1 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5a20b74a645757f9.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shdocvw.resources_31bf3856ad364e35_6.1.7600.16385_en-us_23b7b32e73eca54a.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..libraries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_65143f30f3101abd_iphlpapi.dll.mui_9531144c DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_it-it_291eee26c5177af0.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_es-es_24d3552052fff863_iscsidsc.mfl_20ed5374 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_en-us_70a1ff28cc89fb03_irclass.dll.mui_c67cedc8 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-imagesp1.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ff72338b8528ca90.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5c2875c09ce14e86_powrprof.dll.mui_a2448a34 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_nl-nl_93d8d7e28ba5f11d_bootmgfw.efi.mui_a6e78cfa DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..itmap-ms_sans_serif_31bf3856ad364e35_6.1.7600.16385_none_ac9f9e10add68c8b_sseriffg.fon_12e7f086 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_545ec4e0c6ba7521_dhcpcore6.dll.mui_27872349 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-audio-mmecore-base_31bf3856ad364e35_6.1.7600.16385_none_11d4ade16b61222e.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c7845a1d6a4a71cf_samsrv.dll.mui_32250491 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_jvgasys.fon_d163c032 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4d3659ce8545a5aa_sxproxy.dll.mui_f9d8f818 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_vga950.fon_09ed4d3d DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a0e539441d9ce77a.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aaf8b90fcd8556d4_imageres.dll.mui_3e41dee6 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_85s1256.fon_3e26940d DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-shdocvw.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f6695fe178d53374.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_22b18c66b73f6810.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_zh-changjei.xml_e75e557b DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8c5bb00ce4f9092e_sti.dll.mui_00a4f15b DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_en-us_492959f9bd028207.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_35b011d70e1c44c6_certcredprovider.dll.mui_b5ad161e DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-duser.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_73a83d2d2f7a0e00.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..-truetype-aparajita_31bf3856ad364e35_6.1.7601.17514_none_d123c185ad71f4d5_aparaji.ttf_ca6e5634 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_9633e7caefbaf953_sceregvl.inf_9fe633c0 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..ider-interface-stub_31bf3856ad364e35_6.1.7600.16385_none_9c026780b00728b6.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d1e6b0133605c89d_wininit.exe.mui_997435f5 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-hardware-policy_31bf3856ad364e35_6.1.7601.17514_none_604653a7c0745b40.manifest DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_pt-pt_ef7b9e173a536f62_comdlg32.dll.mui_ac8e62f4 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_de-de_bb31595d11a5d311_credui.dll.mui_34721171 DHL __.pdf(1).exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c2bf0e25e7a17c20.manifest DHL __.pdf(1).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHL __.pdf(1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2796 vssadmin.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e DHL __.pdf(1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 DHL __.pdf(1).exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e DHL __.pdf(1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 DHL __.pdf(1).exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 DHL __.pdf(1).exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e DHL __.pdf(1).exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2188 DHL __.pdf(1).exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2776 vssvc.exe Token: SeRestorePrivilege 2776 vssvc.exe Token: SeAuditPrivilege 2776 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2728 2188 DHL __.pdf(1).exe 30 PID 2188 wrote to memory of 2728 2188 DHL __.pdf(1).exe 30 PID 2188 wrote to memory of 2728 2188 DHL __.pdf(1).exe 30 PID 2188 wrote to memory of 2728 2188 DHL __.pdf(1).exe 30 PID 2728 wrote to memory of 2796 2728 cmd.exe 32 PID 2728 wrote to memory of 2796 2728 cmd.exe 32 PID 2728 wrote to memory of 2796 2728 cmd.exe 32 PID 2728 wrote to memory of 2796 2728 cmd.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL __.pdf(1).exe"C:\Users\Admin\AppData\Local\Temp\DHL __.pdf(1).exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2796
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
6KB
MD58e4bff92f3880323cd25454a4687b2d1
SHA1a98152d2c7f9c87bc418d5a316e0f14eee53a0e2
SHA256efbed23cddf483c2b3a661e59d69a266863a87763f931698222fd6df60d92f1e
SHA5124b61651abb6679aec4fda99442132042f92bc0040b831154c1698f398cc18ea12fbd8712196a9015b3b1a41059459e04aa8846e3178e1d1622c9fefdf425cdc7