Create Interactive Tour

Analysis Report 835f242d_by_Libranalysis

Overview

General Information

Sample Name:835f242d_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:414392
MD5:835f242dde220cc76ee5544119562268
SHA1:8118474606a68c03581eef85a05a90275aa1ec24
SHA256:dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
Infos:

Most interesting Screenshot:

Detection

Sodinokibi
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Sodinokibi Ransomware
Found Tor onion address
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Executable Used by PlugX in Uncommon Location
Writes a notice file (html or txt) to demand a ransom
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks for available system drives (often done to infect USB drives)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • 835f242d_by_Libranalysis.exe (PID: 6364 cmdline: 'C:\Users\user\Desktop\835f242d_by_Libranalysis.exe' MD5: 835F242DDE220CC76EE5544119562268)
    • MsMpEng.exe (PID: 6384 cmdline: C:\Users\user\AppData\Local\Temp\MsMpEng.exe MD5: 8CC83221870DD07144E63DF594C391D9)
  • unsecapp.exe (PID: 4784 cmdline: C:\Windows\system32\wbem\unsecapp.exe -Embedding MD5: 9CBD3EC8D9E4F8CE54258B0573C66BEB)
  • cleanup
{
  "prc": [
    "thebat",
    "onenote",
    "ocautoupds",
    "isqlplussvc",
    "mydesktopservice",
    "firefox",
    "mspub",
    "steam",
    "dbeng50",
    "sql",
    "dbsnmp",
    "ocssd",
    "encsvc",
    "ocomm",
    "xfssvccon",
    "sqbcoreservice",
    "synctime",
    "outlook",
    "wordpad",
    "tbirdconfig",
    "msaccess",
    "agntsvc",
    "winword",
    "infopath",
    "mydesktopqos",
    "excel",
    "visio",
    "oracle",
    "thunderbird",
    "powerpnt"
  ],
  "sub": "7707",
  "svc": [
    "vss",
    "backup",
    "veeam",
    "mepocs",
    "sophos",
    "svc$",
    "sql",
    "memtas"
  ],
  "wht": {
    "ext": [
      "cpl",
      "com",
      "msc",
      "ldf",
      "spl",
      "scr",
      "shs",
      "cab",
      "themepack",
      "adv",
      "nls",
      "msi",
      "icl",
      "lnk",
      "hta",
      "hlp",
      "rom",
      "cmd",
      "diagpkg",
      "mod",
      "ics",
      "idx",
      "deskthemepack",
      "dll",
      "prf",
      "ico",
      "ani",
      "bat",
      "exe",
      "rtp",
      "wpx",
      "cur",
      "ps1",
      "nomedia",
      "drv",
      "diagcab",
      "mpa",
      "sys",
      "msp",
      "msu",
      "key",
      "bin",
      "msstyles",
      "icns",
      "ocx",
      "theme",
      "386",
      "lock",
      "diagcfg"
    ],
    "fls": [
      "desktop.ini",
      "ntuser.dat",
      "thumbs.db",
      "ntuser.dat.log",
      "ntldr",
      "bootsect.bak",
      "autorun.inf",
      "ntuser.ini",
      "bootfont.bin",
      "boot.ini",
      "iconcache.db"
    ],
    "fld": [
      "perflogs",
      "programdata",
      "boot",
      "mozilla",
      "program files",
      "appdata",
      "msocache",
      "intel",
      "google",
      "windows",
      "$recycle.bin",
      "system volume information",
      "windows.old",
      "application data",
      "program files (x86)",
      "$windows.~bt",
      "tor browser",
      "$windows.~ws"
    ]
  },
  "img": "WQBvAHUAcgAgAGYAaQBsAGUAcwAgAGEAcgBlACAAcwB0AG8AbABlAG4AIABhAG4AZAAgAGUAbgBjAHIAeQBwAHQAZQBkACEADQAKAA0ACgBGAGkAbgBkACAAewBFAFgAVAB9AC0AcgBlAGEAZABtAGUALgB0AHgAdAAgAGEAbgBkACAAZgBvAGwAbABvAHcAIABpAG4AcwB0AHIAdQBjAHQAaQBvAG4AcwAuAAAA",
  "dmn": "fiscalsort.com;nachhilfe-unterricht.com;newstap.com.ng;myhostcloud.com;tinkoff-mobayl.ru;waynela.com;stacyloeb.com;norovirus-ratgeber.de;vitavia.lt;controldekk.com;bsaship.com;ladelirante.fr;strategicstatements.com;ravensnesthomegoods.com;smokeysstoves.com;teczowadolina.bytom.pl;marietteaernoudts.nl;kao.at;aselbermachen.com;planchaavapor.net;ncuccr.org;worldhealthbasicinfo.com;gemeentehetkompas.nl;merzi.info;thomas-hospital.de;thee.network;ivfminiua.com;iyahayki.nl;aniblinova.wordpress.com;foretprivee.ca;nandistribution.nl;perbudget.com;purposeadvisorsolutions.com;pmcimpact.com;smogathon.com;boulderwelt-muenchen-west.de;baylegacy.com;lukeshepley.wordpress.com;exenberger.at;autodujos.lt;bayoga.co.uk;zzyjtsgls.com;samnewbyjax.com;caribbeansunpoker.com;lapinlviasennus.fi;id-et-d.fr;trulynolen.co.uk;rushhourappliances.com;daklesa.de;fairfriends18.de;stemplusacademy.com;xn--thucmctc-13a1357egba.com;gadgetedges.com;craigmccabe.fun;mediaclan.info;humancondition.com;myteamgenius.com;myzk.site;desert-trails.com;connectedace.com;brigitte-erler.com;sairaku.net;interactcenter.org;mooglee.com;corelifenutrition.com;stemenstilte.nl;actecfoundation.org;funjose.org.gt;ussmontanacommittee.us;arteservicefabbro.com;autofolierung-lu.de;embracinghiscall.com;cheminpsy.fr;admos-gleitlager.de;oldschoolfun.net;lascuola.nl;twohourswithlena.wordpress.com;nvwoodwerks.com;judithjansen.com;digi-talents.com;craigvalentineacademy.com;seminoc.com;edrcreditservices.nl;thedresserie.com;systemate.dk;femxarxa.cat;employeesurveys.com;compliancesolutionsstrategies.com;garage-lecompte-rouen.fr;thefixhut.com;bestbet.com;stoeberstuuv.de;slimidealherbal.com;skanah.com;abogadoengijon.es;hushavefritid.dk;sexandfessenjoon.wordpress.com;apolomarcas.com;girlillamarketing.com;allamatberedare.se;igrealestate.com;punchbaby.com;chaotrang.com;dutchbrewingcoffee.com;dr-tremel-rednitzhembach.de;richard-felix.co.uk;sanyue119.com;beyondmarcomdotcom.wordpress.com;campusoutreach.org;shiftinspiration.com;erstatningsadvokaterne.dk;maineemploymentlawyerblog.com;live-your-life.jp;hotelzentral.at;woodworkersolution.com;advokathuset.dk;roadwarrior.app;mountaintoptinyhomes.com;spargel-kochen.de;bogdanpeptine.ro;gmto.fr;crowcanyon.com;maryloutaylor.com;pierrehale.com;midmohandyman.com;vox-surveys.com;tanzprojekt.com;marketingsulweb.com;dushka.ua;luckypatcher-apkz.com;romeguidedvisit.com;greenpark.ch;gastsicht.de;bradynursery.com;neuschelectrical.co.za;kath-kirche-gera.de;frontierweldingllc.com;pmc-services.de;celularity.com;zervicethai.co.th;southeasternacademyofprosthodontics.org;mikeramirezcpa.com;mbxvii.com;i-arslan.de;35-40konkatsu.net;appsformacpc.com;noixdecocom.fr;humanityplus.org;greenko.pl;loprus.pl;alhashem.net;logopaedie-blomberg.de;dubnew.com;wraithco.com;iqbalscientific.com;notsilentmd.org;sloverse.com;madinblack.com;tarotdeseidel.com;shadebarandgrillorlando.com;epwritescom.wordpress.com;macabaneaupaysflechois.com;harpershologram.wordpress.com;summitmarketingstrategies.com;ventti.com.ar;waywithwords.net;seitzdruck.com;boosthybrid.com.au;hypozentrum.com;torgbodenbollnas.se;mindpackstudios.com;nhadatcanho247.com;campus2day.de;leda-ukraine.com.ua;argos.wityu.fund;baumkuchenexpo.jp;littlebird.salon;12starhd.online;vibehouse.rw;broseller.com;asiluxury.com;plv.media;id-vet.com;reddysbakery.com;braffinjurylawfirm.com;vorotauu.ru;igfap.com;vyhino-zhulebino-24.ru;maureenbreezedancetheater.org;conasmanagement.de;nuzech.com;petnest.ir;edelman.jp;architekturbuero-wagner.net;kaliber.co.jp;gporf.fr;hhcourier.com;nurturingwisdom.com;hannah-fink.de;almosthomedogrescue.dog;softsproductkey.com;galleryartfair.com;amerikansktgodis.se;ianaswanson.com;brevitempore.net;finde-deine-marke.de;fransespiegels.nl;hatech.io;artige.com;devok.info;cimanchesterescorts.co.uk;ruralarcoiris.com;tecnojobsnet.com;bptdmaluku.com;ledmes.ru;meusharklinithome.wordpress.com;aco-media.nl;montrium.com;dublikator.com;mastertechengineering.com;herbayupro.com;rosavalamedahr.com;verytycs.com;fatfreezingmachines.com;n1-headache.com;deepsouthclothingcompany.com;vickiegrayimages.com;educar.org;zonamovie21.net;toreria.es;ihr-news.jp;lusak.at;tulsawaterheaterinstallation.com;spacecitysisters.org;firstpaymentservices.com;monark.com;dutchcoder.nl;malychanieruchomoscipremium.com;thedad.com;first-2-aid-u.com;htchorst.nl;anybookreader.de;citymax-cr.com;modestmanagement.com;mariposapropaneaz.com;klusbeter.nl;pt-arnold.de;ilive.lt;helikoptervluchtnewyork.nl;otsu-bon.com;klimt2012.info;easytrans.com.au;manutouchmassage.com;celeclub.org;christinarebuffetcourses.com;globedivers.wordpress.com;servicegsm.net;kedak.de;theletter.company;ralister.co.uk;ftf.or.at;coding-marking.com;maxadams.london;zimmerei-fl.de;corola.es;pay4essays.net;iyengaryogacharlotte.com;corendonhotels.com;copystar.co.uk;lmtprovisions.com;quizzingbee.com;faizanullah.com;mrtour.site;buymedical.biz;comarenterprises.com;lillegrandpalais.com;ccpbroadband.com;spylista.com;fax-payday-loans.com;xltyu.com;eraorastudio.com;mytechnoway.com;bee4win.com;dr-pipi.de;space.ua;x-ray.ca;smale-opticiens.nl;kissit.ca;bierensgebakkramen.nl;blumenhof-wegleitner.at;tomoiyuma.com;presseclub-magdeburg.de;pixelarttees.com;schmalhorst.de;lichencafe.com;imadarchid.com;cursoporcelanatoliquido.online;todocaracoles.com;plastidip.com.ar;expandet.dk;pcprofessor.com;saxtec.com;rebeccarisher.com;kmbshipping.co.uk;365questions.org;huesges-gruppe.de;patrickfoundation.net;airconditioning-waalwijk.nl;noskierrenteria.com;jerling.de;executiveairllc.com;figura.team;babcockchurch.org;live-con-arte.de;rollingrockcolumbia.com;troegs.com;xtptrack.com;nsec.se;jyzdesign.com;ausbeverage.com.au;sanaia.com;bookspeopleplaces.com;gonzalezfornes.es;classycurtainsltd.co.uk;dr-seleznev.com;testcoreprohealthuk.com;cityorchardhtx.com;atozdistribution.co.uk;ceid.info.tr;lightair.com;balticdermatology.lt;jvanvlietdichter.nl;mrxermon.de;irishmachineryauctions.com;abl1.net;people-biz.com;beaconhealthsystem.org;caffeinternet.it;projetlyonturin.fr;sauschneider.info;tinyagency.com;crosspointefellowship.church;partnertaxi.sk;manifestinglab.com;hexcreatives.co;kariokids.com;smejump.co.th;evergreen-fishing.com;international-sound-awards.com;centuryrs.com;ohidesign.com;cite4me.org;parkcf.nl;echtveilig.nl;krcove-zily.eu;global-kids.info;ulyssemarketing.com;jbbjw.com;coastalbridgeadvisors.com;fitnessbazaar.com;officehymy.com;tomaso.gr;streamerzradio1.site;facettenreich27.de;ampisolabergeggi.it;paradicepacks.com;bockamp.com;filmstreamingvfcomplet.be;parks-nuernberg.de;pferdebiester.de;grupocarvalhoerodrigues.com.br;c2e-poitiers.com;ligiercenter-sachsen.de;upplandsspar.se;turkcaparbariatrics.com;smessier.com;importardechina.info;naturstein-hotte.de;kunze-immobilien.de;hellohope.com;aakritpatel.com;sportsmassoren.com;psa-sec.de;huehnerauge-entfernen.de;schraven.de;aglend.com.au;shiresresidential.com;directwindowco.com;stingraybeach.com;serce.info.pl;jandaonline.com;songunceliptv.com;pelorus.group;portoesdofarrobo.com;alfa-stroy72.com;pocket-opera.de;mirjamholleman.nl;sweering.fr;cactusthebrand.com;alvinschwartz.wordpress.com;associacioesportivapolitg.cat;abogadosaccidentetraficosevilla.es;restaurantesszimmer.de;simulatebrain.com;koken-voor-baby.nl;ogdenvision.com;finediningweek.pl;pivoineetc.fr;bxdf.info;hashkasolutindo.com;senson.fi;bauertree.com;tongdaifpthaiphong.net;gymnasedumanagement.com;homecomingstudio.com;dareckleyministries.com;muamuadolls.com;vihannesporssi.fi;sw1m.ru;lapmangfpt.info.vn;trapiantofue.it;highimpactoutdoors.net;schmalhorst.de;siliconbeach-realestate.com;bouncingbonanza.com;bbsmobler.se;carriagehousesalonvt.com;peterstrobos.com;wasmachtmeinfonds.at;rehabilitationcentersinhouston.net;bargningharnosand.se;ziegler-praezisionsteile.de;wolf-glas-und-kunst.de;naturavetal.hr;no-plans.com;ahouseforlease.com;ecoledansemulhouse.fr;associationanalytics.com;osterberg.fi;lapinvihreat.fi;linnankellari.fi;kamienny-dywan24.pl;fotoideaymedia.es;vitalyscenter.es;croftprecision.co.uk;sagadc.com;all-turtles.com;austinlchurch.com;pcp-nc.com;ftlc.es;baptisttabernacle.com;insidegarage.pl;schoellhammer.com;extensionmaison.info;werkkring.nl;antonmack.de;latestmodsapks.com;haar-spange.com;gasbarre.com;tux-espacios.com;nokesvilledentistry.com;geekwork.pl;naswrrg.org;artallnightdc.com;modelmaking.nl;sabel-bf.com;pickanose.com;parkstreetauto.net;lecantou-coworking.com;chefdays.de;polymedia.dk;praxis-foerderdiagnostik.de;miraclediet.fun;run4study.com;tenacitytenfold.com;sinal.org;mooreslawngarden.com;geoffreymeuli.com;tanciu.com;aunexis.ch;webhostingsrbija.rs;deprobatehelp.com;mylolis.com;corona-handles.com;oneheartwarriors.at;anteniti.com;allure-cosmetics.at;pogypneu.sk;miriamgrimm.de;stormwall.se;pasivect.co.uk;instatron.net;quemargrasa.net;milltimber.aberdeen.sch.uk;labobit.it;bastutunnan.se;clos-galant.com;ostheimer.at;brawnmediany.com;securityfmm.com;cerebralforce.net;kalkulator-oszczednosci.pl;puertamatic.es;poultrypartners.nl;makeitcount.at;simpkinsedwards.co.uk;esope-formation.fr;yassir.pro;evologic-technologies.com;denifl-consulting.at;helenekowalsky.com;yourobgyn.net;fibrofolliculoma.info;aurum-juweliere.de;highlinesouthasc.com;allfortheloveofyou.com;datacenters-in-europe.com;platformier.com;polzine.net;yamalevents.com;lionware.de;scenepublique.net;levdittliv.se;smartypractice.com;cortec-neuro.com;jameskibbie.com;tandartspraktijkhartjegroningen.nl;accountancywijchen.nl;you-bysia.com.au;c-a.co.in;walter-lemm.de;eadsmurraypugh.com;bouquet-de-roses.com;cleliaekiko.online;y-archive.com;binder-buerotechnik.at;comparatif-lave-linge.fr;imaginado.de;augenta.com;botanicinnovations.com;norpol-yachting.com;sojamindbody.com;notmissingout.com;zenderthelender.com;shonacox.com;stallbyggen.se;mmgdouai.fr;faronics.com;offroadbeasts.com;drnice.de;levihotelspa.fi;mousepad-direkt.de;tips.technology;suncrestcabinets.ca;rieed.de;d1franchise.com;lefumetdesdombes.com;lloydconstruction.com;xn--singlebrsen-vergleich-nec.com;cuspdental.com;art2gointerieurprojecten.nl;agence-chocolat-noir.com;danubecloud.com;denovofoodsgroup.com;body-guards.it;creative-waves.co.uk;work2live.de;sobreholanda.com;eco-southafrica.com;falcou.fr;latribuessentielle.com;effortlesspromo.com;kaminscy.com;behavioralmedicinespecialists.com;em-gmbh.ch;kidbucketlist.com.au;vesinhnha.com.vn;praxis-management-plus.de;nestor-swiss.ch;cafemattmeera.com;spd-ehningen.de;gratispresent.se;micahkoleoso.de;oemands.dk;pasvenska.se;assurancesalextrespaille.fr;smart-light.co.uk;321play.com.hk;urist-bogatyr.ru;iwelt.de;triactis.com;milestoneshows.com;nacktfalter.de;uranus.nl;xoabigail.com;readberserk.com;fayrecreations.com;narcert.com;calxplus.eu;henricekupper.com;elimchan.com;DupontSellsHomes.com;the-virtualizer.com;lynsayshepherd.co.uk;truenyc.co;pier40forall.org;woodleyacademy.org;cursosgratuitosnainternet.com;noesis.tech;videomarketing.pro;asteriag.com;abitur-undwieweiter.de;nicoleaeschbachorg.wordpress.com;blgr.be;siluet-decor.ru;atmos-show.com;zimmerei-deboer.de;otto-bollmann.de;seagatesthreecharters.com;webcodingstudio.com;oncarrot.com;sporthamper.com;vanswigchemdesign.com;lykkeliv.net;bowengroup.com.au;outcomeisincome.com;minipara.com;lucidinvestbank.com;happyeasterimages.org;balticdentists.com;biapi-coaching.fr;alten-mebel63.ru;groupe-frayssinet.fr;greenfieldoptimaldentalcare.com;launchhubl.com;darrenkeslerministries.com;herbstfeststaefa.ch;deschl.net;iwelt.de;hvccfloorcare.com;synlab.lt;chatizel-paysage.fr;odiclinic.org;teknoz.net;penco.ie;drinkseed.com;zweerscreatives.nl;123vrachi.ru;ino-professional.ru;pubweb.carnet.hr;starsarecircular.org;theadventureedge.com;kampotpepper.gives;fannmedias.com;anthonystreetrimming.com;completeweddingkansas.com;kostenlose-webcams.com;manijaipur.com;tandartspraktijkheesch.nl;bigbaguettes.eu;acomprarseguidores.com;veybachcenter.de;delawarecorporatelaw.com;xn--fnsterputssollentuna-39b.se;vetapharma.fr;kojinsaisei.info;despedidascostablanca.es;takeflat.com;waveneyrivercentre.co.uk;thailandholic.com;nmiec.com;hardinggroup.com;dw-css.de;gaiam.nl;milsing.hr;iwr.nl;mbfagency.com;dezatec.es;freie-baugutachterpraxis.de;urmasiimariiuniri.ro;simoneblum.de;satyayoga.de;ausair.com.au;phantastyk.com;theduke.de;iphoneszervizbudapest.hu;americafirstcommittee.org;edgewoodestates.org;spectrmash.ru;modamilyon.com;argenblogs.com.ar;syndikat-asphaltfieber.de;revezlimage.com;onlyresultsmarketing.com;jenniferandersonwriter.com;burkert-ideenreich.de;vermoote.de;corelifenutrition.com;homesdollar.com;deoudedorpskernnoordwijk.nl;berlin-bamboo-bikes.org;onlybacklink.com;the-domain-trader.com;themadbotter.com;stoeferlehalle.de;markelbroch.com;dontpassthepepper.com;schoolofpassivewealth.com;amylendscrestview.com;waermetauscher-berechnen.de;itelagen.com;blood-sports.net;leoben.at;centrospgolega.com;deko4you.at;mediaplayertest.net;rocketccw.com;dinslips.se;maratonaclubedeportugal.com;moveonnews.com;kafu.ch;havecamerawilltravel2017.wordpress.com;leather-factory.co.jp;thenewrejuveme.com;fensterbau-ziegler.de;adoptioperheet.fi;vancouver-print.ca;ncid.bc.ca;parebrise-tla.fr;oslomf.no;sofavietxinh.com;sarbatkhalsafoundation.org;mardenherefordshire-pc.gov.uk;journeybacktolife.com;darnallwellbeing.org.uk;bordercollie-nim.nl;mooshine.com;sipstroysochi.ru;analiticapublica.es;bigler-hrconsulting.ch;joseconstela.com;theshungiteexperience.com.au;remcakram.com;destinationclients.fr;bodyfulls.com;wurmpower.at;devstyle.org;craftleathermnl.com;paulisdogshop.de;ora-it.de;rozemondcoaching.nl;web.ion.ag;naturalrapids.com;katketytaanet.fi;precisionbevel.com;1team.es;artotelamsterdam.com;lbcframingelectrical.com;mank.de;christ-michael.net;jakekozmor.com;creamery201.com;zieglerbrothers.de;jadwalbolanet.info;cuppacap.com;nativeformulas.com;drugdevice.org;iwelt.de;fitnessingbyjessica.com;psc.de;raschlosser.de;edv-live.de;slupetzky.at;refluxreducer.com;maasreusel.nl;imperfectstore.com;licor43.de;coursio.com;ilso.net;commercialboatbuilding.com;gamesboard.info;glennroberts.co.nz;skiltogprint.no;kenhnoithatgo.com;coding-machine.com;ki-lowroermond.nl;socialonemedia.com;philippedebroca.com;dirittosanitario.biz;morawe-krueger.de;blacksirius.de;stoneys.ch;ceres.org.au;tampaallen.com;sotsioloogia.ee;unim.su;mdk-mediadesign.de;zso-mannheim.de;profectis.de;simpliza.com;body-armour.online;boisehosting.net;hmsdanmark.dk;mymoneyforex.com;eglectonk.online;psnacademy.in;bargningavesta.se;physiofischer.de;centromarysalud.com;familypark40.com;aminaboutique247.com;promalaga.es;carolinepenn.com;tigsltd.com;proudground.org;biortaggivaldelsa.com;daniel-akermann-architektur-und-planung.ch;ouryoungminds.wordpress.com;jusibe.com;chrissieperry.com;alysonhoward.com;candyhouseusa.com;pointos.com;bricotienda.com;sevenadvertising.com;huissier-creteil.com;xn--rumung-bua.online;wychowanieprzedszkolne.pl;kadesignandbuild.co.uk;brandl-blumen.de;izzi360.com;promesapuertorico.com;spinheal.ru;irinaverwer.com;answerstest.ru;blog.solutionsarchitect.guru;grelot-home.com;bodyforwife.com;carlosja.com;musictreehouse.net;heurigen-bauer.at;danielblum.info;boompinoy.com;triggi.de;marathonerpaolo.com;ateliergamila.com;new.devon.gov.uk;enovos.de;transportesycementoshidalgo.es;theclubms.com;mapawood.com;harveybp.com;rhinosfootballacademy.com;pridoxmaterieel.nl;schlafsack-test.net;danholzmann.com;ontrailsandboulevards.com;toponlinecasinosuk.co.uk;ungsvenskarna.se;courteney-cox.net;advizewealth.com;rumahminangberdaya.com;hkr-reise.de;mepavex.nl;apprendrelaudit.com;upmrkt.co;mir-na-iznanku.com;tennisclubetten.nl;villa-marrakesch.de;lorenacarnero.com;bristolaeroclub.co.uk;drfoyle.com;coffreo.biz;mountsoul.de;beautychance.se;goodgirlrecovery.com;bafuncs.org;charlesreger.com;mirjamholleman.nl;backstreetpub.com;bingonearme.org;ncs-graphic-studio.com;xn--fn-kka.no;crowd-patch.co.uk;solinegraphic.com;gw2guilds.org;olejack.ru;homng.net;bunburyfreightservices.com.au;vloeren-nu.nl;galserwis.pl;milanonotai.it;sterlingessay.com;wsoil.com.sg;ai-spt.jp;winrace.no;deltacleta.cat;radaradvies.nl;juneauopioidworkgroup.org;panelsandwichmadrid.es;jobcenterkenya.com;transliminaltribe.wordpress.com;bildungsunderlebnis.haus;alsace-first.com;baustb.de;evangelische-pfarrgemeinde-tuniberg.de;kikedeoliveira.com;renergysolution.com;spsshomeworkhelp.com;gopackapp.com;geisterradler.de;1kbk.com.ua;slashdb.com;urclan.net;oneplusresource.org;victoriousfestival.co.uk;saka.gr;paymybill.guru;dnepr-beskid.com.ua;hokagestore.com;luxurytv.jp;wmiadmin.com;abogadosadomicilio.es;nijaplay.com;handi-jack-llc.com;mezhdu-delom.ru;buroludo.nl;wari.com.pe;johnsonfamilyfarmblog.wordpress.com;101gowrie.com;wellplast.se;shhealthlaw.com;tanzschule-kieber.de;yousay.site;prochain-voyage.net;real-estate-experts.com;houseofplus.com;better.town;gantungankunciakrilikbandung.com;nosuchthingasgovernment.com;abuelos.com;roygolden.com;plotlinecreative.com;stopilhan.com;haremnick.com;basisschooldezonnewijzer.nl;sportiomsportfondsen.nl;webmaster-peloton.com;intecwi.com;vannesteconstruct.be;ivivo.es;love30-chanko.com;hoteledenpadova.it;birnam-wood.com;kisplanning.com.au;forskolorna.org;ymca-cw.org.uk;podsosnami.ru;asgestion.com;mercantedifiori.com;idemblogs.com;kirkepartner.dk;slimani.net;steampluscarpetandfloors.com;makeurvoiceheard.com;tophumanservicescourses.com;baronloan.org;schutting-info.nl;pomodori-pizzeria.de;bigasgrup.com;wien-mitte.co.at;igorbarbosa.com;shsthepapercut.com;socstrp.org;uimaan.fi;jeanlouissibomana.com;limassoldriving.com;seevilla-dr-sturm.at;surespark.org.uk;crediacces.com;whyinterestingly.ru;stefanpasch.me;theapifactory.com;solerluethi-allart.ch;testzandbakmetmening.online;hairnetty.wordpress.com;berliner-versicherungsvergleich.de;tonelektro.nl;hiddencitysecrets.com.au;tradiematepro.com.au;d2marketing.co.uk;polychromelabs.com;walkingdeadnj.com;thewellnessmimi.com;mirkoreisser.de;saarland-thermen-resort.com;antiaginghealthbenefits.com;gasolspecialisten.se;healthyyworkout.com;pv-design.de;lubetkinmediacompanies.com;jolly-events.com;nancy-informatique.fr;cranleighscoutgroup.org;sahalstore.com;talentwunder.com;lebellevue.fr;elpa.se;zflas.com;xlarge.at;diversiapsicologia.es;whittier5k.com;visiativ-industry.fr;allentownpapershow.com;solhaug.tk;withahmed.com;aarvorg.com;wacochamber.com;michaelsmeriglioracing.com;rksbusiness.com;marchand-sloboda.com;knowledgemuseumbd.com;cirugiauretra.es;blossombeyond50.com;chavesdoareeiro.com;csgospeltips.se;simplyblessedbykeepingitreal.com;seproc.hn;teresianmedia.org;joyeriaorindia.com;4net.guru;hairstylesnow.site;liikelataamo.fi;retroearthstudio.com;makeflowers.ru;architecturalfiberglass.org;bouldercafe-wuppertal.de;autopfand24.de;katiekerr.co.uk;hrabritelefon.hr;euro-trend.pl;sla-paris.com;filmvideoweb.com;faroairporttransfers.net;lange.host;dsl-ip.de;julis-lsa.de;parking.netgateway.eu;jasonbaileystudio.com;commonground-stories.com;ctrler.cn;boldcitydowntown.com;xn--logopdie-leverkusen-kwb.de;jorgobe.at;heliomotion.com;sportverein-tambach.de;charlottepoudroux-photographie.fr;icpcnj.org;abogados-en-alicante.es;justinvieira.com;bhwlawfirm.com;team-montage.dk;layrshift.eu;kingfamily.construction;porno-gringo.com;unetica.fr;agence-referencement-naturel-geneve.net;thaysa.com;tsklogistik.eu;longislandelderlaw.com;antenanavi.com;supportsumba.nl;slwgs.org;aprepol.com;fitovitaforum.com;leeuwardenstudentcity.nl;rota-installations.co.uk;dubscollective.com;atalent.fi;dramagickcom.wordpress.com;farhaani.com;higadograsoweb.com;hotelsolbh.com.br;blogdecachorros.com;tstaffing.nl;plantag.de;dlc.berlin;hugoversichert.de;flexicloud.hk;trackyourconstruction.com;qlog.de;drinkseed.com;nakupunafoundation.org;andersongilmour.co.uk;lenreactiv-shop.ru;kevinjodea.com;tuuliautio.fi;myhealth.net.au;liliesandbeauties.org;rostoncastings.co.uk;danskretursystem.dk;heidelbergartstudio.gallery;autodemontagenijmegen.nl;foryourhealth.live;jsfg.com;verifort-capital.de;qualitaetstag.de;conexa4papers.trade;resortmtn.com;mrsplans.net;ditog.fr;jiloc.com;mrsfieldskc.com;symphonyenvironmental.com;vdberg-autoimport.nl;devlaur.com;chandlerpd.com;hebkft.hu;opatrovanie-ako.sk;forestlakeuca.org.au;dekkinngay.com;hihaho.com;4youbeautysalon.com;freie-gewerkschaften.de;i-trust.dk;karacaoglu.nl;rerekatu.com;div-vertriebsforschung.de;extraordinaryoutdoors.com;mediaacademy-iraq.org;insigniapmg.com;mank.de;ikads.org;ecpmedia.vn;smithmediastrategies.com;durganews.com;rimborsobancario.net;stupbratt.no;jacquin-maquettes.com;nataschawessels.com;ilcdover.com;insp.bi;travelffeine.com;bundabergeyeclinic.com.au;lescomtesdemean.be;cyntox.com;iwelt.de;collaborativeclassroom.org;delchacay.com.ar;kindersitze-vergleich.de;bloggyboulga.net;kamahouse.net;pinkexcel.com;liveottelut.com;oceanastudios.com;ecopro-kanto.com;strandcampingdoonbeg.com;newyou.at;calabasasdigest.com;friendsandbrgrs.com;rafaut.com;www1.proresult.no;stampagrafica.es;personalenhancementcenter.com;camsadviser.com;jobmap.at;microcirc.net;kojima-shihou.com;groupe-cets.com;kosterra.com;lachofikschiet.nl;catholicmusicfest.com;caribdoctor.org;mylovelybluesky.com;carrybrands.nl;2ekeus.nl;vibethink.net;westdeptfordbuyrite.com;mirjamholleman.nl;micro-automation.de;bimnapratica.com;cwsitservices.co.uk;degroenetunnel.com;piajeppesen.dk;navyfederalautooverseas.com;colorofhorses.com;koko-nora.dk;adultgamezone.com;innote.fi;vietlawconsultancy.com;sandd.nl;trystana.com;fotoscondron.com;mdacares.com;verbisonline.com;marcuswhitten.site;xn--vrftet-pua.biz;dpo-as-a-service.com;cnoia.org;selfoutlet.com;ra-staudte.de;thomasvicino.com;tetinfo.in;fundaciongregal.org;operaslovakia.sk;kuntokeskusrok.fi;sachnendoc.com;8449nohate.org;krlosdavid.com;bridgeloanslenders.com;blewback.com;eaglemeetstiger.de;fizzl.ru;pawsuppetlovers.com;smhydro.com.pl;aodaichandung.com;besttechie.com;tastewilliamsburg.com;iviaggisonciliegie.it;financescorecard.com;zewatchers.com;digivod.de;smalltownideamill.wordpress.com;quickyfunds.com;qualitus.com;consultaractadenacimiento.com;memaag.com;kaotikkustomz.com;entopic.com;castillobalduz.es",
  "dbg": false,
  "pid": "$2a$12$.sDRCIAgJMz/cW9CPnKIneDkNV5BOsNnGlkMHoOduIfpNrPHKaZq.",
  "nbody": "RABlAGEAcgAgAEEAZwBpAGwAZQAgAEcAcgBvAHUAcAAsAA0ACgB5AG8AdQAgAGEAcgBlACAAdwBlAGwAYwBvAG0AZQBkACAAYgB5ACAAdABoAGUAIABSAEUAdgBpAGwAIAB0AGUAYQBtAC4ADQAKAA0ACgBbACsAXQAgAFcAaABhAHQAcwAgAEgAYQBwAHAAZQBuAD8AIABbACsAXQANAAoADQAKAFkAbwB1AHIAIABmAGkAbABlAHMAIABhAHIAZQAgAGUAbgBjAHIAeQBwAHQAZQBkACwAIABhAG4AZAAgAGMAdQByAHIAZQBuAHQAbAB5ACAAdQBuAGEAdgBhAGkAbABhAGIAbABlAC4AIABZAG8AdQAgAGMAYQBuACAAYwBoAGUAYwBrACAAaQB0ADoAIABhAGwAbAAgAGYAaQBsAGUAcwAgAG8AbgAgAHkAbwB1AHIAIABzAHkAcwB0AGUAbQAgAGgAYQBzACAAZQB4AHQAZQBuAHMAaQBvAG4AIAB7AEUAWABUAH0ALgANAAoAQgB5ACAAdABoAGUAIAB3AGEAeQAsACAAZQB2AGUAcgB5AHQAaABpAG4AZwAgAGkAcwAgAHAAbwBzAHMAaQBiAGwAZQAgAHQAbwAgAHIAZQBjAG8AdgBlAHIAIAAoAHIAZQBzAHQAbwByAGUAKQAsACAAYgB1AHQAIAB5AG8AdQAgAG4AZQBlAGQAIAB0AG8AIABmAG8AbABsAG8AdwAgAG8AdQByACAAaQBuAHMAdAByAHUAYwB0AGkAbwBuAHMALgAgAE8AdABoAGUAcgB3AGkAcwBlACwAIAB5AG8AdQAgAGMAYQBuAHQAIAByAGUAdAB1AHIAbgAgAHkAbwB1AHIAIABkAGEAdABhACAAKABOAEUAVgBFAFIAKQAuAA0ACgBXAGUAIABhAGwAcwBvACAAZABvAHcAbgBsAG8AYQBkAGUAZAAgAGEAIABsAG8AdAAgAG8AZgAgAHMAZQBuAHMAaQB0AGkAdgBlACAAZABhAHQAYQAgAGYAcgBvAG0AIAB5AG8AdQByACAAcwBlAHIAdgBlAHIAcwAgAGEAbgBkACAAaQBuACAAYwBhAHMAZQAgAG8AZgAgAG4AbwBuAC0AcABhAHkAbQBlAG4AdAAgAG8AbgAgAHkAbwB1AHIAIABwAGEAcgB0ACwAIAB3AGUAIAB3AGkAbABsACAAcwB0AGEAcgB0ACAAdQBwAGwAbwBhAGQAaQBuAGcAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAdABvACAAbwB1AHIAIABwAHUAYgBsAGkAYwAgAGIAbABvAGcAOgANAAoAVABPAFIAIABMAEkATgBLADoAIABoAHQAdABwADoALwAvAGQAbgBwAHMAYwBuAGIAYQBpAHgANgBuAGsAdwB2AHkAcwB0AGwAMwB5AHgAZwBsAHoANwBuAHQAZQBpAGMAcQByAG8AdQAzAHQANwA1AHQAcABjAGMANQA1ADMAMgBjAHoAdABjADQANgBxAHkAZAAuAG8AbgBpAG8AbgANAAoAUAByAG8AbwBmACAAbwBmACAAdABoAGUAIABzAGUAcgBpAG8AdQBzAG4AZQBzAHMAIABvAGYAIABvAHUAcgAgAGkAbgB0AGUAbgB0AGkAbwBuAHMAOgANAAoAaAB0AHQAcABzADoALwAvAHAAcgBuAHQALgBzAGMALwAxADIAcwBuAGgAcABxAA0ACgBoAHQAdABwAHMAOgAvAC8AcAByAG4AdAAuAHMAYwAvADEAMgBzAHEAcAAyAGIADQAKAGgAdAB0AHAAcwA6AC8ALwBwAHIAbgB0AC4AcwBjAC8AMQAyAHMAbwBkAGQAegANAAoAaAB0AHQAcABzADoALwAvAHAAcgBuAHQALgBzAGMALwAxADIAcwBwAHYAMgBjAA0ACgBoAHQAdABwAHMAOgAvAC8AcAByAG4AdAAuAHMAYwAvADEAMgBzAG4AdwByADIADQAKAGgAdAB0AHAAcwA6AC8ALwBwAHIAbgB0AC4AcwBjAC8AMQAyAHMAcAB4ADgAaAANAAoAaAB0AHQAcABzADoALwAvAHAAcgBuAHQALgBzAGMALwAxADIAcwBxADEAegByAA0ACgBoAHQAdABwAHMAOgAvAC8AcAByAG4AdAAuAHMAYwAvADEAMgBzAG4AbwB2AGUADQAKAGgAdAB0AHAAcwA6AC8ALwBwAHIAbgB0AC4AcwBjAC8AMQAyAHMAbwBpAHgAbAANAAoAaAB0AHQAcABzADoALwAvAHAAcgBuAHQALgBzAGMALwAxADIAcwByADQAcwBsAA0ACgBoAHQAdABwAHMAOgAvAC8AcAByAG4AdAAuAHMAYwAvADEAMgBzAG8AMQBoAGQADQAKAGgAdAB0AHAAcwA6AC8ALwBwAHIAbgB0AC4AcwBjAC8AMQAyAHMAbwBzAGQANAANAAoADQAKAFsAKwBdACAAVwBoAGEAdAAgAGcAdQBhAHIAYQBuAHQAZQBlAHMAPwAgAFsAKwBdAA0ACgANAAoASQB0AHMAIABqAHUAcwB0ACAAYQAgAGIAdQBzAGkAbgBlAHMAcwAuACAAVwBlACAAYQBiAHMAbwBsAHUAdABlAGwAeQAgAGQAbwAgAG4AbwB0ACAAYwBhAHIAZQAgAGEAYgBvAHUAdAAgAHkAbwB1ACAAYQBuAGQAIAB5AG8AdQByACAAZABlAGEAbABzACwAIABlAHgAYwBlAHAAdAAgAGcAZQB0AHQAaQBuAGcAIABiAGUAbgBlAGYAaQB0AHMALgAgAEkAZgAgAHcAZQAgAGQAbwAgAG4AbwB0ACAAZABvACAAbwB1AHIAIAB3AG8AcgBrACAAYQBuAGQAIABsAGkAYQBiAGkAbABpAHQAaQBlAHMAIAAtACAAbgBvAGIAbwBkAHkAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIAB1AHMALgAgAA0ACgBUAG8AIABjAGgAZQBjAGsAIAB0AGgAZQAgAGEAYgBpAGwAaQB0AHkAIABvAGYAIAByAGUAdAB1AHIAbgBpAG4AZwAgAGYAaQBsAGUAcwAsACAAWQBvAHUAIABzAGgAbwB1AGwAZAAgAGcAbwAgAHQAbwAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQAuACAAVABoAGUAcgBlACAAeQBvAHUAIABjAGEAbgAgAGQAZQBjAHIAeQBwAHQAIABvAG4AZQAgAGYAaQBsAGUAIABmAG8AcgAgAGYAcgBlAGUALgAgAFQAaABhAHQAIABpAHMAIABvAHUAcgAgAGcAdQBhAHIAYQBuAHQAZQBlAC4ADQAKAEkAZgAgAHkAbwB1ACAAdwBpAGwAbAAgAG4AbwB0ACAAYwBvAG8AcABlAHIAYQB0AGUAIAB3AGkAdABoACAAbwB1AHIAIABzAGUAcgB2AGkAYwBlACAALQAgAGYAbwByACAAdQBzACwAIABpAHQAcwAgAGQAbwBlAHMAIABuAG8AdAAgAG0AYQB0AHQAZQByAC4AIABCAHUAdAAgAHkAbwB1ACAAdwBpAGwAbAAgAGwAbwBzAGUAIAB5AG8AdQByACAAdABpAG0AZQAgAGEAbgBkACAAZABhAHQAYQAsACAAYwBhAHUAcwBlACAAagB1AHMAdAAgAHcAZQAgAGgAYQB2AGUAIAB0AGgAZQAgAHAAcgBpAHYAYQB0AGUAIABrAGUAeQAuACAASQBuACAAcAByAGEAYwB0AGkAYwBlACAALQAgAHQAaQBtAGUAIABpAHMAIABtAHUAYwBoACAAbQBvAHIAZQAgAHYAYQBsAHUAYQBiAGwAZQAgAHQAaABhAG4AIABtAG8AbgBlAHkALgANAAoADQAKAFsAKwBdACAASABvAHcAIAB0AG8AIABnAGUAdAAgAGEAYwBjAGUAcwBzACAAbwBuACAAdwBlAGIAcwBpAHQAZQA/ACAAWwArAF0ADQAKAA0ACgBZAG8AdQAgAGgAYQB2AGUAIAB0AHcAbwAgAHcAYQB5AHMAOgANAAoADQAKADEAKQAgAFsAUgBlAGMAbwBtAG0AZQBuAGQAZQBkAF0AIABVAHMAaQBuAGcAIABhACAAVABPAFIAIABiAHIAbwB3AHMAZQByACEADQAKACAAIABhACkAIABEAG8AdwBuAGwAbwBhAGQAIABhAG4AZAAgAGkAbgBzAHQAYQBsAGwAIABUAE8AUgAgAGIAcgBvAHcAcwBlAHIAIABmAHIAbwBtACAAdABoAGkAcwAgAHMAaQB0AGUAOgAgAGgAdAB0AHAAcwA6AC8ALwB0AG8AcgBwAHIAbwBqAGUAYwB0AC4AbwByAGcALwANAAoAIAAgAGIAKQAgAE8AcABlAG4AIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUAOgAgAGgAdAB0AHAAOgAvAC8AYQBwAGwAZQBiAHoAdQA0ADcAdwBnAGEAegBhAHAAZABxAGsAcwA2AHYAcgBjAHYANgB6AGMAbgBqAHAAcABrAGIAeABiAHIANgB3AGsAZQB0AGYANQA2AG4AZgA2AGEAcQAyAG4AbQB5AG8AeQBkAC4AbwBuAGkAbwBuAC8AewBVAEkARAB9AA0ACgANAAoAMgApACAASQBmACAAVABPAFIAIABiAGwAbwBjAGsAZQBkACAAaQBuACAAeQBvAHUAcgAgAGMAbwB1AG4AdAByAHkALAAgAHQAcgB5ACAAdABvACAAdQBzAGUAIABWAFAATgAhACAAQgB1AHQAIAB5AG8AdQAgAGMAYQBuACAAdQBzAGUAIABvAHUAcgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQAuACAARgBvAHIAIAB0AGgAaQBzADoADQAKACAAIABhACkAIABPAHAAZQBuACAAeQBvAHUAcgAgAGEAbgB5ACAAYgByAG8AdwBzAGUAcgAgACgAQwBoAHIAbwBtAGUALAAgAEYAaQByAGUAZgBvAHgALAAgAE8AcABlAHIAYQAsACAASQBFACwAIABFAGQAZwBlACkADQAKACAAIABiACkAIABPAHAAZQBuACAAbwB1AHIAIABzAGUAYwBvAG4AZABhAHIAeQAgAHcAZQBiAHMAaQB0AGUAOgAgAGgAdAB0AHAAOgAvAC8AZABlAGMAbwBkAGUAcgAuAHIAZQAvAHsAVQBJAEQAfQANAAoADQAKAFcAYQByAG4AaQBuAGcAOgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQAgAGMAYQBuACAAYgBlACAAYgBsAG8AYwBrAGUAZAAsACAAdABoAGEAdABzACAAdwBoAHkAIABmAGkAcgBzAHQAIAB2AGEAcgBpAGEAbgB0ACAAbQB1AGMAaAAgAGIAZQB0AHQAZQByACAAYQBuAGQAIABtAG8AcgBlACAAYQB2AGEAaQBsAGEAYgBsAGUALgANAAoADQAKAFcAaABlAG4AIAB5AG8AdQAgAG8AcABlAG4AIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALAAgAHAAdQB0ACAAdABoAGUAIABmAG8AbABsAG8AdwBpAG4AZwAgAGQAYQB0AGEAIABpAG4AIAB0AGgAZQAgAGkAbgBwAHUAdAAgAGYAbwByAG0AOgANAAoASwBlAHkAOgANAAoADQAKAA0ACgB7AEsARQBZAH0ADQAKAA0ACgANAAoALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAA0ACgANAAoAIQAhACEAIABEAEEATgBHAEUAUgAgACEAIQAhAA0ACgBEAE8ATgBUACAAdAByAHkAIAB0AG8AIABjAGgAYQBuAGcAZQAgAGYAaQBsAGUAcwAgAGIAeQAgAHkAbwB1AHIAcwBlAGwAZgAsACAARABPAE4AVAAgAHUAcwBlACAAYQBuAHkAIAB0AGgAaQByAGQAIABwAGEAcgB0AHkAIABzAG8AZgB0AHcAYQByAGUAIABmAG8AcgAgAHIAZQBzAHQAbwByAGkAbgBnACAAeQBvAHUAcgAgAGQAYQB0AGEAIABvAHIAIABhAG4AdABpAHYAaQByAHUAcwAgAHMAbwBsAHUAdABpAG8AbgBzACAALQAgAGkAdABzACAAbQBhAHkAIABlAG4AdABhAGkAbAAgAGQAYQBtAGEAZwBlACAAbwBmACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkAIABhAG4AZAAsACAAYQBzACAAcgBlAHMAdQBsAHQALAAgAFQAaABlACAATABvAHMAcwAgAGEAbABsACAAZABhAHQAYQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEADQAKAE8ATgBFACAATQBPAFIARQAgAFQASQBNAEUAOgAgAEkAdABzACAAaQBuACAAeQBvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzACAAdABvACAAZwBlAHQAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYgBhAGMAawAuACAARgByAG8AbQAgAG8AdQByACAAcwBpAGQAZQAsACAAdwBlACAAKAB0AGgAZQAgAGIAZQBzAHQAIABzAHAAZQBjAGkAYQBsAGkAcwB0AHMAKQAgAG0AYQBrAGUAIABlAHYAZQByAHkAdABoAGkAbgBnACAAZgBvAHIAIAByAGUAcwB0AG8AcgBpAG4AZwAsACAAYgB1AHQAIABwAGwAZQBhAHMAZQAgAHMAaABvAHUAbABkACAAbgBvAHQAIABpAG4AdABlAHIAZgBlAHIAZQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEAAAA=",
  "et": 1,
  "wipe": true,
  "wfld": [
    "backup"
  ],
  "rdmcnt": 0,
  "nname": "{EXT}-readme.txt",
  "pk": "lDVoRiGZunR2ErnbfjposCfAbyJPtPuk/sOWJAtVeEI=",
  "net": false,
  "exp": false,
  "arn": false
}
SourceRuleDescriptionAuthorStrings
00000001.00000003.228395143.0000000003098000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
    00000001.00000003.228349911.0000000003098000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
      00000001.00000003.228303607.0000000003098000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
        00000001.00000003.228590751.0000000003098000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
          00000001.00000003.410300982.0000000003098000.00000004.00000040.sdmpJoeSecurity_SodinokibiYara detected Sodinokibi RansomwareJoe Security
            Click to see the 7 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Executable Used by PlugX in Uncommon Location
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Local\Temp\MsMpEng.exe, CommandLine: C:\Users\user\AppData\Local\Temp\MsMpEng.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\MsMpEng.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\MsMpEng.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\MsMpEng.exe, ParentCommandLine: 'C:\Users\user\Desktop\835f242d_by_Libranalysis.exe' , ParentImage: C:\Users\user\Desktop\835f242d_by_Libranalysis.exe, ParentProcessId: 6364, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\MsMpEng.exe, ProcessId: 6384

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configuration
            Source: MsMpEng.exe.6384.1.memstrMalware Configuration Extractor: Sodinokibi {"prc": ["thebat", "onenote", "ocautoupds", "isqlplussvc", "mydesktopservice", "firefox", "mspub", "steam", "dbeng50", "sql", "dbsnmp", "ocssd", "encsvc", "ocomm", "xfssvccon", "sqbcoreservice", "synctime", "outlook", "wordpad", "tbirdconfig", "msaccess", "agntsvc", "winword", "infopath", "mydesktopqos", "excel", "visio", "oracle", "thunderbird", "powerpnt"], "sub": "7707", "svc": ["vss", "backup", "veeam", "mepocs", "sophos", "svc$", "sql", "memtas"], "wht": {"ext": ["cpl", "com", "msc", "ldf", "spl", "scr", "shs", "cab", "themepack", "adv", "nls", "msi", "icl", "lnk", "hta", "hlp", "rom", "cmd", "diagpkg", "mod", "ics", "idx", "deskthemepack", "dll", "prf", "ico", "ani", "bat", "exe", "rtp", "wpx", "cur", "ps1", "nomedia", "drv", "diagcab", "mpa", "sys", "msp", "msu", "key", "bin", "msstyles", "icns", "ocx", "theme", "386", "lock", "diagcfg"], "fls": ["desktop.ini", "ntuser.dat", "thumbs.db", "ntuser.dat.log", "ntldr", "bootsect.bak", "autorun.inf", "ntuser.ini", "bootfont.bin", "boot.ini", "iconcache.db"], "fld": ["perflogs", "programdata", "boot", "mozilla", "program files", "appdata", "msocache", "intel", "google", "windows", "$recycle.bin", "system volume information", "windows.old", "application data", "program files (x86)", "$windows.~bt", "tor browser", "$windows.~ws"]}, "img": "WQBvAHUAcgAgAGYAaQBsAGUAcwAgAGEAcgBlACAAcwB0AG8AbABlAG4AIABhAG4AZAAgAGUAbgBjAHIAeQBwAHQAZQBkACEADQAKAA0ACgBGAGkAbgBkACAAewBFAFgAVAB9AC0AcgBlAGEAZABtAGUALgB0AHgAdAAgAGEAbgBkACAAZgBvAGwAbABvAHcAIABpAG4AcwB0AHIAdQBjAHQAaQBvAG4AcwAuAAAA", "dmn": "fiscalsort.com;nachhilfe-unterricht.com;newstap.com.ng;myhostcloud.com;tinkoff-mobayl.ru;waynela.com;stacyloeb.com;norovirus-ratgeber.de;vitavia.lt;controldekk.com;bsaship.com;ladelirante.fr;strategicstatements.com;ravensnesthomegoods.com;smokeysstoves.com;teczowadolina.bytom.pl;marietteaernoudts.nl;kao.at;aselbermachen.com;planchaavapor.net;ncuccr.org;worldhealthbasicinfo.com;gemeentehetkompas.nl;merzi.info;thomas-hospital.de;thee.network;ivfminiua.com;iyahayki.nl;aniblinova.wordpress.com;foretprivee.ca;nandistribution.nl;perbudget.com;purposeadvisorsolutions.com;pmcimpact.com;smogathon.com;boulderwelt-muenchen-west.de;baylegacy.com;lukeshepley.wordpress.com;exenberger.at;autodujos.lt;bayoga.co.uk;zzyjtsgls.com;samnewbyjax.com;caribbeansunpoker.com;lapinlviasennus.fi;id-et-d.fr;trulynolen.co.uk;rushhourappliances.com;daklesa.de;fairfriends18.de;stemplusacademy.com;xn--thucmctc-13a1357egba.com;gadgetedges.com;craigmccabe.fun;mediaclan.info;humancondition.com;myteamgenius.com;myzk.site;desert-trails.com;connectedace.com;brigitte-erler.com;sairaku.net;interactcenter.org;mooglee.com;corelifenutrition.com;stemenstilte.nl;actecfoundation.org;funjose.org.gt;ussmontanacommittee.us;arteservicefabbro.com;autofolierung-lu.de;embracinghiscall.com;cheminpsy.fr;admos-gleitlager.de;oldschoolfun.net;lascuola.nl;twohourswithlena.wordpress.com;nvwoodwerks.com;judithjansen.com;digi-talents.com;craigvalentineacademy.com;seminoc.com;
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\Mpsvc.dllReversingLabs: Detection: 34%
            Multi AV Scanner detection for submitted file
            Source: 835f242d_by_Libranalysis.exeVirustotal: Detection: 47%Perma Link
            Source: 835f242d_by_Libranalysis.exeReversingLabs: Detection: 36%
            Source: 0.0.835f242d_by_Libranalysis.exe.a20000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen5
            Source: 0.2.835f242d_by_Libranalysis.exe.a20000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen5
            Source: 835f242d_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeDirectory created: c:\program files\kv8s5p-readme.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile created: C:\kv8s5p-readme.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile created: c:\program files\kv8s5p-readme.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile created: c:\program files (x86)\kv8s5p-readme.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile created: c:\recovery\kv8s5p-readme.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile created: c:\users\kv8s5p-readme.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile created: c:\program files (x86)\microsoft sql server\kv8s5p-readme.txtJump to behavior
            Source: 835f242d_by_Libranalysis.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: MsMpEng.pdb source: 835f242d_by_Libranalysis.exe
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: z:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: x:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: v:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: t:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: r:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: p:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: n:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: l:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: j:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: h:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: f:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: b:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: y:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: w:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: u:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: s:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: q:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: o:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: m:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: k:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: i:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: g:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: e:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: c:
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: a:
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCode function: 0_2_00A251FA FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE80D10 FindFirstFileExA,
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: C:\Program Files\Google\Chrome\NULL
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: C:\Program Files\Google\NULL
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: C:\Program Files\Google\Chrome\Application\NULL
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: C:\Program Files\Google\Chrome
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: C:\Program Files\Google\Chrome\Application

            Networking:

            barindex
            Found Tor onion address
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmpString found in binary or memory: TOR LINK: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
            Source: MsMpEng.exe, 00000001.00000003.410324514.0000000003025000.00000004.00000040.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/20B11F4B41AFF0FC
            Source: kv8s5p-readme.txt4.1.drString found in binary or memory: TOR LINK: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion
            Source: kv8s5p-readme.txt4.1.drString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/20B11F4B41AFF0FC
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmpString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/
            Source: MsMpEng.exe, 00000001.00000003.410324514.0000000003025000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/20B11F4B41AFF0FC
            Source: 835f242d_by_Libranalysis.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: 835f242d_by_Libranalysis.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
            Source: 835f242d_by_Libranalysis.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmpString found in binary or memory: http://decoder.re/
            Source: MsMpEng.exe, 00000001.00000003.410324514.0000000003025000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: http://decoder.re/20B11F4B41AFF0FC
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion
            Source: 835f242d_by_Libranalysis.exeString found in binary or memory: http://ocsp.comodoca.com0
            Source: 835f242d_by_Libranalysis.exeString found in binary or memory: http://ocsp.sectigo.com0#
            Source: 835f242d_by_Libranalysis.exeString found in binary or memory: http://www.openssl.org/support/faq.html
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: https://prnt.sc/12snhpq
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: https://prnt.sc/12snove
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: https://prnt.sc/12snwr2
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: https://prnt.sc/12so1hd
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: https://prnt.sc/12soddz
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: https://prnt.sc/12soixl
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: https://prnt.sc/12sosd4
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: https://prnt.sc/12spv2c
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: https://prnt.sc/12spx8h
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: https://prnt.sc/12sq1zr
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: https://prnt.sc/12sqp2b
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: https://prnt.sc/12sr4sl
            Source: 835f242d_by_Libranalysis.exeString found in binary or memory: https://sectigo.com/CPS0
            Source: MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drString found in binary or memory: https://torproject.org/
            Source: MsMpEng.exe, 00000001.00000003.440361912.00000000046A1000.00000004.00000001.sdmpBinary or memory string: !F_WinAPI_RegisterRawInputDevices.au3a

            Spam, unwanted Advertisements and Ransom Demands:

            barindex
            Found ransom note / readme
            Source: C:\kv8s5p-readme.txtDropped file: Dear Agile Group,you are welcomed by the REvil team.[+] Whats Happen? [+]Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension kv8s5p.By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).We also downloaded a lot of sensitive data from your servers and in case of non-payment on your part, we will start uploading your files to our public blog:TOR LINK: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onionProof of the seriousness of our intentions:https://prnt.sc/12snhpqhttps://prnt.sc/12sqp2bhttps://prnt.sc/12soddzhttps://prnt.sc/12spv2chttps://prnt.sc/12snwr2https://prnt.sc/12spx8hhttps://prnt.sc/12sq1zrhttps://prnt.sc/12snovehttps://prnt.sc/12soixlhttps://prnt.sc/12sr4slhttps://prnt.sc/12so1hdhttps://prnt.sc/12sosd4[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money.[+] How to get accessJump to dropped file
            Yara detected Sodinokibi Ransomware
            Source: Yara matchFile source: 00000001.00000003.228395143.0000000003098000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.228349911.0000000003098000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.228303607.0000000003098000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.228590751.0000000003098000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.410300982.0000000003098000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.228598770.0000000003098000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.228550525.0000000003098000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.228482814.0000000003098000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.228442581.0000000003098000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: MsMpEng.exe PID: 6384, type: MEMORY
            Writes a notice file (html or txt) to demand a ransom
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile dropped: C:\kv8s5p-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practice - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/20b11f4b41aff0fc2) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/20b11f4b41aff0fcwarning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:v4vdyl1msr/g8tv9fu3+0akqsfxjezk3eptxjxqfcvtzdzke8unmbs1dvnJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile dropped: C:\Program Files\kv8s5p-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practice - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/20b11f4b41aff0fc2) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/20b11f4b41aff0fcwarning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:v4vdyl1msr/g8tv9fu3+0akqsfxjezk3eptxjxqfcvtzdzke8unmbs1dvnJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile dropped: C:\Program Files (x86)\kv8s5p-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practice - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/20b11f4b41aff0fc2) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/20b11f4b41aff0fcwarning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:v4vdyl1msr/g8tv9fu3+0akqsfxjezk3eptxjxqfcvtzdzke8unmbs1dvnJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile dropped: C:\Recovery\kv8s5p-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practice - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/20b11f4b41aff0fc2) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/20b11f4b41aff0fcwarning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:v4vdyl1msr/g8tv9fu3+0akqsfxjezk3eptxjxqfcvtzdzke8unmbs1dvnJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile dropped: C:\Users\kv8s5p-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practice - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/20b11f4b41aff0fc2) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/20b11f4b41aff0fcwarning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:v4vdyl1msr/g8tv9fu3+0akqsfxjezk3eptxjxqfcvtzdzke8unmbs1dvnJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile dropped: C:\Program Files (x86)\Microsoft SQL Server\kv8s5p-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practice - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/20b11f4b41aff0fc2) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/20b11f4b41aff0fcwarning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:v4vdyl1msr/g8tv9fu3+0akqsfxjezk3eptxjxqfcvtzdzke8unmbs1dvnJump to dropped file

            System Summary:

            barindex
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCode function: 0_2_00A2AAC5
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE755F5
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE155C0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE17D80
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE16D80
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE29D80
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE15D90
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE28590
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE79D50
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE24510
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE1BCE0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE18CA0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE18440
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE42400
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE187F0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE18FB0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE19700
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE1CEB0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE17EB9
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE24690
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE17610
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE1F9C0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE2A1A0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE178F0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE170D0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE430D0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE188B0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE1C8B0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE8389A
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE19860
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE15020
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE75824
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE16830
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE70030
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE18000
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE173A0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE193B0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE1D3B0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE15B90
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE2B340
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE86B5B
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE16B30
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE18AE0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE162C0
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE2BA60
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE18240
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE21A20
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\MsMpEng.exe 33BC14D231A4AFAA18F06513766D5F69D8B88F1E697CD127D24FB4B72AD44C7A
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: String function: 6DE13740 appears 84 times
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: String function: 6DE6EDB0 appears 37 times
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: String function: 6DE13320 appears 50 times
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: String function: 6DE6E3B0 appears 116 times
            Source: 835f242d_by_Libranalysis.exeStatic PE information: invalid certificate
            Source: 835f242d_by_Libranalysis.exeStatic PE information: invalid certificate
            Source: 835f242d_by_Libranalysis.exeStatic PE information: Resource name: DEFCOMINSTALLER type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
            Source: 835f242d_by_Libranalysis.exeStatic PE information: Resource name: WINDEFENDER type: PE32 executable (GUI) Intel 80386, for MS Windows
            Source: 835f242d_by_Libranalysis.exe, 00000000.00000000.227208008.0000000000A34000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMsMpEng.exeZ vs 835f242d_by_Libranalysis.exe
            Source: 835f242d_by_Libranalysis.exeBinary or memory string: OriginalFilenameMsMpEng.exeZ vs 835f242d_by_Libranalysis.exe
            Source: 835f242d_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000001.00000002.497457218.0000000000CE8000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
            Source: 00000001.00000002.497262037.0000000000CA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
            Source: classification engineClassification label: mal96.rans.evad.winEXE@4/8@0/0
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCode function: 0_2_00A21130 FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,LockResource,
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile created: c:\program files\kv8s5p-readme.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile created: c:\users\kv8s5p-readme.txtJump to behavior
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeFile created: C:\Users\user\AppData\Local\Temp\Mpsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCommand line argument: Mpsvc.dll
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCommand line argument: MsMpEng.exe
            Source: 835f242d_by_Libranalysis.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\CIMV2 : SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : \\computer\root\CIMV2:Win32_Process.Handle="244"::GetOwner
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : \\computer\root\CIMV2:Win32_Process.Handle="2892"::GetOwner
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : \\computer\root\CIMV2:Win32_Process.Handle="5996"::GetOwner
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: 835f242d_by_Libranalysis.exeVirustotal: Detection: 47%
            Source: 835f242d_by_Libranalysis.exeReversingLabs: Detection: 36%
            Source: 835f242d_by_Libranalysis.exeString found in binary or memory: set-addPolicy
            Source: 835f242d_by_Libranalysis.exeString found in binary or memory: lhash part of OpenSSL 1.0.2l 25 May 2017.\crypto\lhash\lhash.c.\crypto\asn1\a_object.cNULL<INVALID>.\crypto\asn1\evp_asn1.csetct-CredRevResDatasetct-PCertReqDatasetct-PCertResTBSsetct-BatchAdminReqDatasetct-BatchAdminResDatasetct-CardCInitResTBSsetct-MeAqCInitResTBSsetct-RegFormResTBSsetct-CertReqDatasetct-CertReqTBSsetct-CertResDatasetct-CertInqReqTBSsetct-ErrorTBSsetct-PIDualSignedTBEsetct-PIUnsignedTBEsetct-AuthReqTBEsetct-AuthResTBEsetct-AuthResTBEXsetct-AuthTokenTBEsetct-CapTokenTBEsetct-CapTokenTBEXsetct-AcqCardCodeMsgTBEsetct-AuthRevReqTBEsetct-AuthRevResTBEsetct-AuthRevResTBEBsetct-CapReqTBEsetct-CapReqTBEXsetct-CapResTBEsetct-CapRevReqTBEsetct-CapRevReqTBEXsetct-CapRevResTBEsetct-CredReqTBEsetct-CredReqTBEXsetct-CredResTBEsetct-CredRevReqTBEsetct-CredRevReqTBEXsetct-CredRevResTBEsetct-BatchAdminReqTBEsetct-BatchAdminResTBEsetct-RegFormReqTBEsetct-CertReqTBEsetct-CertReqTBEXsetct-CertResTBEsetct-CRLNotificationTBSsetct-CRLNotificationResTBSsetct-BCIDistributionTBSsetext-genCryptgeneric cryptogramsetext-miAuthmerchant initiated authsetext-pinSecuresetext-pinAnysetext-track2setext-cvadditional verificationset-policy-rootsetCext-hashedRootsetCext-certTypesetCext-merchDatasetCext-cCertRequiredsetCext-tunnelingsetCext-setExtsetCext-setQualfsetCext-PGWYcapabilitiessetCext-TokenIdentifiersetCext-Track2DatasetCext-TokenTypesetCext-IssuerCapabilitiessetAttr-CertsetAttr-PGWYcappayment gateway capabilitiessetAttr-TokenTypesetAttr-IssCapissuer capabilitiesset-rootKeyThumbset-addPolicysetAttr-Token-EMVsetAttr-Token-B0PrimesetAttr-IssCap-CVMsetAttr-IssCap-T2setAttr-IssCap-SigsetAttr-GenCryptgrmgenerate cryptogramsetAttr-T2Encencrypted track 2setAttr-T2cleartxtcleartext track 2setAttr-TokICCsigICC or token signaturesetAttr-SecDevSigsecure device signatureset-brand-IATA-ATAset-brand-Dinersset-brand-AmericanExpressset-brand-JCBset-brand-Visaset-brand-MasterCardset-brand-NovusDES-CDMFdes-cdmfrsaOAEPEncryptionSETITU-Titu-tJOINT-ISO-ITU-Tjoint-iso-itu-tinternational-organizationsInternational OrganizationsmsSmartcardLoginMicrosoft SmartcardloginmsUPNMicrosoft Universal Principal NameAES-128-CFB1aes-128-cfb1AES-192-CFB1aes-192-cfb1AES-256-CFB1aes-256-cfb1AES-128-CFB8aes-128-cfb8AES-192-CFB8aes-192-cfb8AES-256-CFB8aes-256-cfb8DES-CFB1des-cfb1DES-CFB8des-cfb8DES-EDE3-CFB1des-ede3-cfb1DES-EDE3-CFB8des-ede3-cfb8streetstreetAddresspostalCodeid-pplproxyCertInfoProxy Certificate Informationid-ppl-anyLanguageAny languageid-ppl-inheritAllInherit allnameConstraintsX509v3 Name Constraintsid-ppl-independentIndependentRSA-SHA256sha256WithRSAEncryptionRSA-SHA384sha384WithRSAEncryptionRSA-SHA512sha512WithRSAEncryptionRSA-SHA224sha224WithRSAEncryptionSHA256sha256SHA384sha384SHA512sha512SHA224sha224identified-organizationcerticom-arcwapwap-wsgid-characteristic-two-basisonBasistpBasisppBasisc2pnb163v1c2pnb163v2c2pnb163v3c2pnb176v1c2tnb191v1c2tnb191v2c2tnb191v3c2onb191v4c2onb191v5c2pnb208w1c2tnb239v1c2tnb239v2c2tnb239v3c2onb239v4c2onb239v5c2pnb272w1c2pnb304w1*
            Source: 835f242d_by_Libranalysis.exeString found in binary or memory: id-cmc-addExtensions
            Source: unknownProcess created: C:\Users\user\Desktop\835f242d_by_Libranalysis.exe 'C:\Users\user\Desktop\835f242d_by_Libranalysis.exe'
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeProcess created: C:\Users\user\AppData\Local\Temp\MsMpEng.exe C:\Users\user\AppData\Local\Temp\MsMpEng.exe
            Source: unknownProcess created: C:\Windows\System32\wbem\unsecapp.exe C:\Windows\system32\wbem\unsecapp.exe -Embedding
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeProcess created: C:\Users\user\AppData\Local\Temp\MsMpEng.exe C:\Users\user\AppData\Local\Temp\MsMpEng.exe
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\InProcServer32
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeDirectory created: c:\program files\kv8s5p-readme.txtJump to behavior
            Source: 835f242d_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 835f242d_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 835f242d_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 835f242d_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 835f242d_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 835f242d_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 835f242d_by_Libranalysis.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: 835f242d_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: MsMpEng.pdb source: 835f242d_by_Libranalysis.exe
            Source: 835f242d_by_Libranalysis.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: 835f242d_by_Libranalysis.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: 835f242d_by_Libranalysis.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: 835f242d_by_Libranalysis.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: 835f242d_by_Libranalysis.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE111C0 LoadLibraryA,GetProcAddress,
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCode function: 0_2_00A21AD6 push ecx; ret
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE6EDF6 push ecx; ret
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeFile created: C:\Users\user\AppData\Local\Temp\Mpsvc.dllJump to dropped file
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeFile created: C:\Users\user\AppData\Local\Temp\MsMpEng.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile created: C:\kv8s5p-readme.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile created: c:\program files\kv8s5p-readme.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile created: c:\program files (x86)\kv8s5p-readme.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile created: c:\recovery\kv8s5p-readme.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile created: c:\users\kv8s5p-readme.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile created: c:\program files (x86)\microsoft sql server\kv8s5p-readme.txtJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE21A20 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes

            Malware Analysis System Evasion:

            barindex
            Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\CIMV2 : SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE TargetInstance ISA &apos;Win32_Service&apos;
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : \\computer\root\CIMV2:Win32_Service.Name=&quot;VSS&quot;::StopService
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeWindow / User API: threadDelayed 4045
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exe TID: 6408Thread sleep count: 4045 > 30
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCode function: 0_2_00A251FA FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE80D10 FindFirstFileExA,
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: C:\Program Files\Google\Chrome\NULL
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: C:\Program Files\Google\NULL
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: C:\Program Files\Google\Chrome\Application\NULL
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: C:\Program Files\Google\Chrome
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: C:\Program Files\Google\Chrome\Application\85.0.4183.121
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeFile opened: C:\Program Files\Google\Chrome\Application
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCode function: 0_2_00A2184C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE111C0 LoadLibraryA,GetProcAddress,
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCode function: 0_2_00A23D0E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE7102A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCode function: 0_2_00A2701D GetProcessHeap,
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCode function: 0_2_00A219DF SetUnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCode function: 0_2_00A21C9F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCode function: 0_2_00A2184C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCode function: 0_2_00A24BA9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE6EC23 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE7BC32 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeCode function: 1_2_6DE6E40C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: MsMpEng.exe, 00000001.00000002.499808464.00000000012B0000.00000002.00000001.sdmp, unsecapp.exe, 00000014.00000002.500306364.0000024A05A80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: MsMpEng.exe, 00000001.00000002.499808464.00000000012B0000.00000002.00000001.sdmp, unsecapp.exe, 00000014.00000002.500306364.0000024A05A80000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: MsMpEng.exe, 00000001.00000002.499808464.00000000012B0000.00000002.00000001.sdmp, unsecapp.exe, 00000014.00000002.500306364.0000024A05A80000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
            Source: MsMpEng.exe, 00000001.00000002.499808464.00000000012B0000.00000002.00000001.sdmp, unsecapp.exe, 00000014.00000002.500306364.0000024A05A80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
            Source: MsMpEng.exe, 00000001.00000002.499808464.00000000012B0000.00000002.00000001.sdmp, unsecapp.exe, 00000014.00000002.500306364.0000024A05A80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCode function: 0_2_00A21AEB cpuid
            Source: C:\Users\user\AppData\Local\Temp\MsMpEng.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\835f242d_by_Libranalysis.exeCode function: 0_2_00A21735 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
            Source: MsMpEng.exeBinary or memory string: C:\Users\user\AppData\Local\Temp\MsMpEng.exe
            Source: 835f242d_by_Libranalysis.exe, MsMpEng.exeBinary or memory string: MsMpEng.exe

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Replication Through Removable Media1Windows Management Instrumentation11Application Shimming1Process Injection2Masquerading3Input Capture11System Time Discovery1Replication Through Removable Media1Input Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
            Default AccountsCommand and Scripting Interpreter3Boot or Logon Initialization ScriptsApplication Shimming1Virtualization/Sandbox Evasion2LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothProxy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsNative API1Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerSecurity Software Discovery24SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSVirtualization/Sandbox Evasion2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncPeripheral Device Discovery11Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery24Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 414392 Sample: 835f242d_by_Libranalysis Startdate: 14/05/2021 Architecture: WINDOWS Score: 96 27 Found malware configuration 2->27 29 Multi AV Scanner detection for dropped file 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 4 other signatures 2->33 6 835f242d_by_Libranalysis.exe 2 2->6         started        9 unsecapp.exe 2->9         started        process3 file4 15 C:\Users\user\AppData\Local\...\MsMpEng.exe, PE32 6->15 dropped 17 C:\Users\user\AppData\Local\Temp\Mpsvc.dll, PE32 6->17 dropped 11 MsMpEng.exe 6 7 6->11         started        process5 file6 19 C:\kv8s5p-readme.txt, data 11->19 dropped 21 C:\Users\kv8s5p-readme.txt, data 11->21 dropped 23 C:\Recovery\kv8s5p-readme.txt, data 11->23 dropped 25 3 other malicious files 11->25 dropped 35 Writes a notice file (html or txt) to demand a ransom 11->35 37 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 11->37 signatures7

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand
            SourceDetectionScannerLabelLink
            835f242d_by_Libranalysis.exe48%VirustotalBrowse
            835f242d_by_Libranalysis.exe36%ReversingLabsWin32.Ransomware.Revil
            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\Mpsvc.dll34%ReversingLabsWin32.Ransomware.Revil
            C:\Users\user\AppData\Local\Temp\MsMpEng.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\MsMpEng.exe0%ReversingLabs
            SourceDetectionScannerLabelLinkDownload
            0.0.835f242d_by_Libranalysis.exe.a20000.0.unpack100%AviraTR/Crypt.XPACK.Gen5Download File
            0.2.835f242d_by_Libranalysis.exe.a20000.0.unpack100%AviraTR/Crypt.XPACK.Gen5Download File
            No Antivirus matches
            SourceDetectionScannerLabelLink
            http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/20B11F4B41AFF0FC0%Avira URL Cloudsafe
            https://sectigo.com/CPS00%URL Reputationsafe
            https://sectigo.com/CPS00%URL Reputationsafe
            https://sectigo.com/CPS00%URL Reputationsafe
            https://sectigo.com/CPS00%URL Reputationsafe
            http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0%Avira URL Cloudsafe
            http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion0%Avira URL Cloudsafe
            http://decoder.re/0%Avira URL Cloudsafe
            http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
            http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
            http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
            http://decoder.re/20B11F4B41AFF0FC0%Avira URL Cloudsafe
            http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
            http://ocsp.sectigo.com0#0%URL Reputationsafe
            http://ocsp.sectigo.com0#0%URL Reputationsafe
            http://ocsp.sectigo.com0#0%URL Reputationsafe
            No contacted domains info
            NameSourceMaliciousAntivirus DetectionReputation
            https://prnt.sc/12so1hdMsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drfalse
              high
              http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/20B11F4B41AFF0FCMsMpEng.exe, 00000001.00000003.410324514.0000000003025000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drtrue
              • Avira URL Cloud: safe
              unknown
              https://sectigo.com/CPS0835f242d_by_Libranalysis.exefalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmptrue
              • Avira URL Cloud: safe
              unknown
              https://prnt.sc/12spv2cMsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drfalse
                high
                http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onionMsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drtrue
                • Avira URL Cloud: safe
                unknown
                https://prnt.sc/12sq1zrMsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drfalse
                  high
                  https://prnt.sc/12spx8hMsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drfalse
                    high
                    https://prnt.sc/12sr4slMsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drfalse
                      high
                      http://decoder.re/MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      https://prnt.sc/12snhpqMsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drfalse
                        high
                        https://torproject.org/MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drfalse
                          high
                          https://prnt.sc/12soixlMsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drfalse
                            high
                            https://prnt.sc/12sqp2bMsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drfalse
                              high
                              https://prnt.sc/12snoveMsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drfalse
                                high
                                http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s835f242d_by_Libranalysis.exefalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://decoder.re/20B11F4B41AFF0FCMsMpEng.exe, 00000001.00000003.410324514.0000000003025000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://prnt.sc/12sosd4MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drfalse
                                  high
                                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#835f242d_by_Libranalysis.exefalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  https://prnt.sc/12snwr2MsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drfalse
                                    high
                                    http://ocsp.sectigo.com0#835f242d_by_Libranalysis.exefalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    https://prnt.sc/12soddzMsMpEng.exe, 00000001.00000003.410275333.0000000003035000.00000004.00000040.sdmp, kv8s5p-readme.txt4.1.drfalse
                                      high
                                      http://www.openssl.org/support/faq.html835f242d_by_Libranalysis.exefalse
                                        high
                                        No contacted IP infos

                                        General Information

                                        Joe Sandbox Version:32.0.0 Black Diamond
                                        Analysis ID:414392
                                        Start date:14.05.2021
                                        Start time:17:23:18
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 7m 22s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:835f242d_by_Libranalysis (renamed file extension from none to exe)
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:25
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal96.rans.evad.winEXE@4/8@0/0
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 20.3% (good quality ratio 18.3%)
                                        • Quality average: 76%
                                        • Quality standard deviation: 32.2%
                                        HCA Information:Failed
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        Warnings:
                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                        • Report size getting too big, too many NtOpenFile calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                        No simulations
                                        No context
                                        No context
                                        No context
                                        No context
                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        C:\Users\user\AppData\Local\Temp\MsMpEng.exeseu.exeGet hashmaliciousBrowse
                                          srnmp.exeGet hashmaliciousBrowse
                                            BORANG MAKLUMBALAS - SESI WORKSHOP DIREKTORAT.docGet hashmaliciousBrowse
                                              BRIEF WRITE ON EVENT IDE 18 JAN.docxGet hashmaliciousBrowse
                                                C:\Program Files (x86)\Microsoft SQL Server\kv8s5p-readme.txt
                                                Process:C:\Users\user\AppData\Local\Temp\MsMpEng.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8080
                                                Entropy (8bit):3.8510105097042504
                                                Encrypted:false
                                                SSDEEP:96:6LOAtxP5/dUPNrQtxU3TPWsLt+LpCiWHNhcoAlJ5e5TsgoIkShOd9Pr+5u:6LO+5LUB3jVqpZGKFetfheDx
                                                MD5:D0840BA5CD453EFE2FA6C8FE59684E61
                                                SHA1:0E82580BDD24E1786B8D4C9049346344D1D5F0AA
                                                SHA-256:7862D15F1031DB9E6E068B84FE39DBBE14985EBA9688EBA7DCBB909A70CD9E43
                                                SHA-512:D7CBFB64B2C27A4EA74F9D80A2E0151EDB5190ADA98D15ED81D0DC569242B535CADCD5DD3BCE7F8D86148EBB8CDBF4E55942B480A400ACD536CE168B4B35E3F4
                                                Malicious:true
                                                Reputation:low
                                                Preview: D.e.a.r. .A.g.i.l.e. .G.r.o.u.p.,.....y.o.u. .a.r.e. .w.e.l.c.o.m.e.d. .b.y. .t.h.e. .R.E.v.i.l. .t.e.a.m...........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .k.v.8.s.5.p.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.).......W.e. .a.l.s.o. .d.o.w.n.l.o.a.d.e.d. .a. .l.o.t. .o.f. .s.e.n.s.i.t.i.v.e. .d.a.t.a. .f.r.o.m. .y.o.u.r. .s.e.r.v.e.r.s. .a.n.d. .i.n. .c.a.s.e. .o.f. .n.o.n.-.p.a.y.m.e.n.t. .o.n. .y.o.u.r. .p.a.r.t.,. .w.e. .w.i.l.l. .s.t.a.r.t. .u.p.l.o.a.d.i.n.g. .y.o.u.r. .f.i.l.e.s. .t.o. .o.u.r. .p.u.b.l.i.c. .b.l.
                                                C:\Program Files (x86)\kv8s5p-readme.txt
                                                Process:C:\Users\user\AppData\Local\Temp\MsMpEng.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8080
                                                Entropy (8bit):3.8510105097042504
                                                Encrypted:false
                                                SSDEEP:96:6LOAtxP5/dUPNrQtxU3TPWsLt+LpCiWHNhcoAlJ5e5TsgoIkShOd9Pr+5u:6LO+5LUB3jVqpZGKFetfheDx
                                                MD5:D0840BA5CD453EFE2FA6C8FE59684E61
                                                SHA1:0E82580BDD24E1786B8D4C9049346344D1D5F0AA
                                                SHA-256:7862D15F1031DB9E6E068B84FE39DBBE14985EBA9688EBA7DCBB909A70CD9E43
                                                SHA-512:D7CBFB64B2C27A4EA74F9D80A2E0151EDB5190ADA98D15ED81D0DC569242B535CADCD5DD3BCE7F8D86148EBB8CDBF4E55942B480A400ACD536CE168B4B35E3F4
                                                Malicious:true
                                                Reputation:low
                                                Preview: D.e.a.r. .A.g.i.l.e. .G.r.o.u.p.,.....y.o.u. .a.r.e. .w.e.l.c.o.m.e.d. .b.y. .t.h.e. .R.E.v.i.l. .t.e.a.m...........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .k.v.8.s.5.p.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.).......W.e. .a.l.s.o. .d.o.w.n.l.o.a.d.e.d. .a. .l.o.t. .o.f. .s.e.n.s.i.t.i.v.e. .d.a.t.a. .f.r.o.m. .y.o.u.r. .s.e.r.v.e.r.s. .a.n.d. .i.n. .c.a.s.e. .o.f. .n.o.n.-.p.a.y.m.e.n.t. .o.n. .y.o.u.r. .p.a.r.t.,. .w.e. .w.i.l.l. .s.t.a.r.t. .u.p.l.o.a.d.i.n.g. .y.o.u.r. .f.i.l.e.s. .t.o. .o.u.r. .p.u.b.l.i.c. .b.l.
                                                C:\Program Files\kv8s5p-readme.txt
                                                Process:C:\Users\user\AppData\Local\Temp\MsMpEng.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8080
                                                Entropy (8bit):3.8510105097042504
                                                Encrypted:false
                                                SSDEEP:96:6LOAtxP5/dUPNrQtxU3TPWsLt+LpCiWHNhcoAlJ5e5TsgoIkShOd9Pr+5u:6LO+5LUB3jVqpZGKFetfheDx
                                                MD5:D0840BA5CD453EFE2FA6C8FE59684E61
                                                SHA1:0E82580BDD24E1786B8D4C9049346344D1D5F0AA
                                                SHA-256:7862D15F1031DB9E6E068B84FE39DBBE14985EBA9688EBA7DCBB909A70CD9E43
                                                SHA-512:D7CBFB64B2C27A4EA74F9D80A2E0151EDB5190ADA98D15ED81D0DC569242B535CADCD5DD3BCE7F8D86148EBB8CDBF4E55942B480A400ACD536CE168B4B35E3F4
                                                Malicious:true
                                                Reputation:low
                                                Preview: D.e.a.r. .A.g.i.l.e. .G.r.o.u.p.,.....y.o.u. .a.r.e. .w.e.l.c.o.m.e.d. .b.y. .t.h.e. .R.E.v.i.l. .t.e.a.m...........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .k.v.8.s.5.p.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.).......W.e. .a.l.s.o. .d.o.w.n.l.o.a.d.e.d. .a. .l.o.t. .o.f. .s.e.n.s.i.t.i.v.e. .d.a.t.a. .f.r.o.m. .y.o.u.r. .s.e.r.v.e.r.s. .a.n.d. .i.n. .c.a.s.e. .o.f. .n.o.n.-.p.a.y.m.e.n.t. .o.n. .y.o.u.r. .p.a.r.t.,. .w.e. .w.i.l.l. .s.t.a.r.t. .u.p.l.o.a.d.i.n.g. .y.o.u.r. .f.i.l.e.s. .t.o. .o.u.r. .p.u.b.l.i.c. .b.l.
                                                C:\Recovery\kv8s5p-readme.txt
                                                Process:C:\Users\user\AppData\Local\Temp\MsMpEng.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8080
                                                Entropy (8bit):3.8510105097042504
                                                Encrypted:false
                                                SSDEEP:96:6LOAtxP5/dUPNrQtxU3TPWsLt+LpCiWHNhcoAlJ5e5TsgoIkShOd9Pr+5u:6LO+5LUB3jVqpZGKFetfheDx
                                                MD5:D0840BA5CD453EFE2FA6C8FE59684E61
                                                SHA1:0E82580BDD24E1786B8D4C9049346344D1D5F0AA
                                                SHA-256:7862D15F1031DB9E6E068B84FE39DBBE14985EBA9688EBA7DCBB909A70CD9E43
                                                SHA-512:D7CBFB64B2C27A4EA74F9D80A2E0151EDB5190ADA98D15ED81D0DC569242B535CADCD5DD3BCE7F8D86148EBB8CDBF4E55942B480A400ACD536CE168B4B35E3F4
                                                Malicious:true
                                                Reputation:low
                                                Preview: D.e.a.r. .A.g.i.l.e. .G.r.o.u.p.,.....y.o.u. .a.r.e. .w.e.l.c.o.m.e.d. .b.y. .t.h.e. .R.E.v.i.l. .t.e.a.m...........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .k.v.8.s.5.p.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.).......W.e. .a.l.s.o. .d.o.w.n.l.o.a.d.e.d. .a. .l.o.t. .o.f. .s.e.n.s.i.t.i.v.e. .d.a.t.a. .f.r.o.m. .y.o.u.r. .s.e.r.v.e.r.s. .a.n.d. .i.n. .c.a.s.e. .o.f. .n.o.n.-.p.a.y.m.e.n.t. .o.n. .y.o.u.r. .p.a.r.t.,. .w.e. .w.i.l.l. .s.t.a.r.t. .u.p.l.o.a.d.i.n.g. .y.o.u.r. .f.i.l.e.s. .t.o. .o.u.r. .p.u.b.l.i.c. .b.l.
                                                C:\Users\user\AppData\Local\Temp\Mpsvc.dll
                                                Process:C:\Users\user\Desktop\835f242d_by_Libranalysis.exe
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):833384
                                                Entropy (8bit):6.982166546229049
                                                Encrypted:false
                                                SSDEEP:24576:szXxcwKjqd7kHeSyG/z35JCxvKtl9dfkU:KYg7aBgw9dfkU
                                                MD5:7D1807850275485397CE2BB218EFF159
                                                SHA1:45C1B556F5A875B71F2286E1ED4C7BD32E705758
                                                SHA-256:CC0CDC6A3D843E22C98170713ABF1D6AE06E8B5E34ED06AC3159ADAFE85E3BD6
                                                SHA-512:6DEF440504CE5BF64B07493149BEFE2632943145FC42B33202DAB126FC3AF78ED0097E7F38CD7A7F5E18E3D5D3D10A1924A3E6DB4FC4FCB212216C14F7106CD1
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 34%
                                                Reputation:low
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........BO..#!.#!.#!.?...#!.?....#!.?...#!.&}".#!.&}%.#!.&}$.#!.>...."!.V...#!.# ..#!.>}$.#!.>}!.#!.>}#.#!.Rich.#!.........PE..L...9..`...........!.....h...b......o...............................................|.....@.........................P7.......7..P.......................h........a...-..8............................-..@...............p............................text....f.......h.................. ..`.rdata..L............l..............@..@.data...<:...P......................@....gfids...............@..............@..@.reloc...a.......b...B..............@..B........................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Local\Temp\MsMpEng.exe
                                                Process:C:\Users\user\Desktop\835f242d_by_Libranalysis.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):22224
                                                Entropy (8bit):6.802966536066802
                                                Encrypted:false
                                                SSDEEP:384:NDr3WIqWJ1q//0GftpBjRwtxO4HRN7uJlYaibn6:FLe8ifJkuUaY6
                                                MD5:8CC83221870DD07144E63DF594C391D9
                                                SHA1:3D409B39B8502FCD23335A878F2CBDAF6D721995
                                                SHA-256:33BC14D231A4AFAA18F06513766D5F69D8B88F1E697CD127D24FB4B72AD44C7A
                                                SHA-512:E7F964A10A8799310A519FA569D264F652E13CC7EA199792DC6A5C0507DEC4A12844A87BF8BAB714255DCE717839908ED5D967CE8F65F5520FE4E7F9D25A622C
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Joe Sandbox View:
                                                • Filename: seu.exe, Detection: malicious, Browse
                                                • Filename: srnmp.exe, Detection: malicious, Browse
                                                • Filename: BORANG MAKLUMBALAS - SESI WORKSHOP DIREKTORAT.doc, Detection: malicious, Browse
                                                • Filename: BRIEF WRITE ON EVENT IDE 18 JAN.docx, Detection: malicious, Browse
                                                Reputation:low
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K.*..*..*..R.H.*..*..*..R.M.*..R.Q.*..R.J.*..R.O.*..Rich.*..................PE..L....w,S..................................... ....@..........................`......9............`..........................$0..<....@...................@...P..$...................................H...@............0..$............................text............................... ..`.data...$.... ......................@....idata..,....0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                C:\Users\kv8s5p-readme.txt
                                                Process:C:\Users\user\AppData\Local\Temp\MsMpEng.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8080
                                                Entropy (8bit):3.8510105097042504
                                                Encrypted:false
                                                SSDEEP:96:6LOAtxP5/dUPNrQtxU3TPWsLt+LpCiWHNhcoAlJ5e5TsgoIkShOd9Pr+5u:6LO+5LUB3jVqpZGKFetfheDx
                                                MD5:D0840BA5CD453EFE2FA6C8FE59684E61
                                                SHA1:0E82580BDD24E1786B8D4C9049346344D1D5F0AA
                                                SHA-256:7862D15F1031DB9E6E068B84FE39DBBE14985EBA9688EBA7DCBB909A70CD9E43
                                                SHA-512:D7CBFB64B2C27A4EA74F9D80A2E0151EDB5190ADA98D15ED81D0DC569242B535CADCD5DD3BCE7F8D86148EBB8CDBF4E55942B480A400ACD536CE168B4B35E3F4
                                                Malicious:true
                                                Reputation:low
                                                Preview: D.e.a.r. .A.g.i.l.e. .G.r.o.u.p.,.....y.o.u. .a.r.e. .w.e.l.c.o.m.e.d. .b.y. .t.h.e. .R.E.v.i.l. .t.e.a.m...........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .k.v.8.s.5.p.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.).......W.e. .a.l.s.o. .d.o.w.n.l.o.a.d.e.d. .a. .l.o.t. .o.f. .s.e.n.s.i.t.i.v.e. .d.a.t.a. .f.r.o.m. .y.o.u.r. .s.e.r.v.e.r.s. .a.n.d. .i.n. .c.a.s.e. .o.f. .n.o.n.-.p.a.y.m.e.n.t. .o.n. .y.o.u.r. .p.a.r.t.,. .w.e. .w.i.l.l. .s.t.a.r.t. .u.p.l.o.a.d.i.n.g. .y.o.u.r. .f.i.l.e.s. .t.o. .o.u.r. .p.u.b.l.i.c. .b.l.
                                                C:\kv8s5p-readme.txt
                                                Process:C:\Users\user\AppData\Local\Temp\MsMpEng.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8080
                                                Entropy (8bit):3.8510105097042504
                                                Encrypted:false
                                                SSDEEP:96:6LOAtxP5/dUPNrQtxU3TPWsLt+LpCiWHNhcoAlJ5e5TsgoIkShOd9Pr+5u:6LO+5LUB3jVqpZGKFetfheDx
                                                MD5:D0840BA5CD453EFE2FA6C8FE59684E61
                                                SHA1:0E82580BDD24E1786B8D4C9049346344D1D5F0AA
                                                SHA-256:7862D15F1031DB9E6E068B84FE39DBBE14985EBA9688EBA7DCBB909A70CD9E43
                                                SHA-512:D7CBFB64B2C27A4EA74F9D80A2E0151EDB5190ADA98D15ED81D0DC569242B535CADCD5DD3BCE7F8D86148EBB8CDBF4E55942B480A400ACD536CE168B4B35E3F4
                                                Malicious:true
                                                Reputation:low
                                                Preview: D.e.a.r. .A.g.i.l.e. .G.r.o.u.p.,.....y.o.u. .a.r.e. .w.e.l.c.o.m.e.d. .b.y. .t.h.e. .R.E.v.i.l. .t.e.a.m...........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u.r. .s.y.s.t.e.m. .h.a.s. .e.x.t.e.n.s.i.o.n. .k.v.8.s.5.p.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.).......W.e. .a.l.s.o. .d.o.w.n.l.o.a.d.e.d. .a. .l.o.t. .o.f. .s.e.n.s.i.t.i.v.e. .d.a.t.a. .f.r.o.m. .y.o.u.r. .s.e.r.v.e.r.s. .a.n.d. .i.n. .c.a.s.e. .o.f. .n.o.n.-.p.a.y.m.e.n.t. .o.n. .y.o.u.r. .p.a.r.t.,. .w.e. .w.i.l.l. .s.t.a.r.t. .u.p.l.o.a.d.i.n.g. .y.o.u.r. .f.i.l.e.s. .t.o. .o.u.r. .p.u.b.l.i.c. .b.l.

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):6.957956813559063
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:835f242d_by_Libranalysis.exe
                                                File size:933736
                                                MD5:835f242dde220cc76ee5544119562268
                                                SHA1:8118474606a68c03581eef85a05a90275aa1ec24
                                                SHA256:dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f
                                                SHA512:4fadf14fd5d1ef5948477185e4d2a8a00414f63c7db8fc440c7b28c8f288e29df4447f2a9cf61b2778c8af1d68261c9ff5bebd4c36d69b33715e66f06acb2539
                                                SSDEEP:24576:gJdzXxcwKjqd7kHeSyG/z35JCxvKtl9dfkV:KYg7aBgw9dfkV
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#..2gm.agm.agm.a..;amm.a..9a.m.a..8a.m.a5..`Cm.a5..`vm.a5..`um.an.Yadm.agm.a;m.a...`em.a..5afm.a...`fm.aRichgm.a........PE..L..

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                General

                                                Entrypoint:0x401491
                                                Entrypoint Section:.text
                                                Digitally signed:true
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x609AA982 [Tue May 11 15:57:54 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:5
                                                OS Version Minor:1
                                                File Version Major:5
                                                File Version Minor:1
                                                Subsystem Version Major:5
                                                Subsystem Version Minor:1
                                                Import Hash:c36dcd2277c4a707a1a645d0f727542a
                                                Signature Valid:false
                                                Signature Issuer:CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
                                                Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
                                                Error Number:-2146762495
                                                Not Before, Not After
                                                • 4/28/2021 5:00:00 PM 4/29/2022 4:59:59 PM
                                                Subject Chain
                                                • CN=OOO Saylent, O=OOO Saylent, L=Cherepovetz, C=RU
                                                Version:3
                                                Thumbprint MD5:AA278AF0400593F5A10FDADC812F08B9
                                                Thumbprint SHA-1:0D61738E6407C01D5C9F477039FB581A5F81F436
                                                Thumbprint SHA-256:E125F85772776FFA32065B43BC30E4695998F391B85073B62B041CEEF9F7E890
                                                Serial:00BDDF46F3A2DE7D2BFBF5169AE976D97E
                                                Instruction
                                                call 00007F32F4D0D851h
                                                jmp 00007F32F4D0D3DFh
                                                push ebp
                                                mov ebp, esp
                                                mov eax, dword ptr [00412018h]
                                                and eax, 1Fh
                                                push 00000020h
                                                pop ecx
                                                sub ecx, eax
                                                mov eax, dword ptr [ebp+08h]
                                                ror eax, cl
                                                xor eax, dword ptr [00412018h]
                                                pop ebp
                                                ret
                                                push ebp
                                                mov ebp, esp
                                                mov eax, dword ptr [ebp+08h]
                                                push esi
                                                mov ecx, dword ptr [eax+3Ch]
                                                add ecx, eax
                                                movzx eax, word ptr [ecx+14h]
                                                lea edx, dword ptr [ecx+18h]
                                                add edx, eax
                                                movzx eax, word ptr [ecx+06h]
                                                imul esi, eax, 28h
                                                add esi, edx
                                                cmp edx, esi
                                                je 00007F32F4D0D57Bh
                                                mov ecx, dword ptr [ebp+0Ch]
                                                cmp ecx, dword ptr [edx+0Ch]
                                                jc 00007F32F4D0D56Ch
                                                mov eax, dword ptr [edx+08h]
                                                add eax, dword ptr [edx+0Ch]
                                                cmp ecx, eax
                                                jc 00007F32F4D0D56Eh
                                                add edx, 28h
                                                cmp edx, esi
                                                jne 00007F32F4D0D54Ch
                                                xor eax, eax
                                                pop esi
                                                pop ebp
                                                ret
                                                mov eax, edx
                                                jmp 00007F32F4D0D55Bh
                                                push esi
                                                call 00007F32F4D0DCE5h
                                                test eax, eax
                                                je 00007F32F4D0D582h
                                                mov eax, dword ptr fs:[00000018h]
                                                mov esi, 004127ECh
                                                mov edx, dword ptr [eax+04h]
                                                jmp 00007F32F4D0D566h
                                                cmp edx, eax
                                                je 00007F32F4D0D572h
                                                xor eax, eax
                                                mov ecx, edx
                                                lock cmpxchg dword ptr [esi], ecx
                                                test eax, eax
                                                jne 00007F32F4D0D552h
                                                xor al, al
                                                pop esi
                                                ret
                                                mov al, 01h
                                                pop esi
                                                ret
                                                push ebp
                                                mov ebp, esp
                                                cmp dword ptr [ebp+08h], 00000000h
                                                jne 00007F32F4D0D569h
                                                mov byte ptr [004127F0h], 00000001h
                                                call 00007F32F4D0DB0Dh
                                                call 00007F32F4D0DF74h
                                                test al, al
                                                jne 00007F32F4D0D566h
                                                xor al, al
                                                pop ebp
                                                ret
                                                call 00007F32F4D104ADh
                                                test al, al
                                                jne 00007F32F4D0D56Ch
                                                Programming Language:
                                                • [IMP] VS2008 SP1 build 30729
                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x111fc0x28.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000xd0f18.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0xe2c000x1368.rsrc
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xe50000xdf0.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x10ae00x38.rdata
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10b180x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0xc0000x120.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000xa7d70xa800False0.589146205357data6.63399783561IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rdata0xc0000x58500x5a00False0.41171875data4.81529074497IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x120000x13640x800False0.19970703125DOS executable (block device driver \277DN)2.20461243145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .rsrc0x140000xd0f180xd1000False0.593111029082data6.99009037212IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xe50000xdf00xe00False0.828125data6.49908000209IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                NameRVASizeTypeLanguageCountry
                                                DEFCOMINSTALLER0x197b00xcb768PE32 executable (DLL) (console) Intel 80386, for MS WindowsEnglishUnited States
                                                WINDEFENDER0x140e00x56d0PE32 executable (GUI) Intel 80386, for MS WindowsEnglishUnited States
                                                DLLImport
                                                KERNEL32.dllWriteFile, VirtualAlloc, GetTempPathW, CreateFileW, Sleep, lstrcatW, LockResource, CloseHandle, LoadResource, FindResourceW, CreateProcessW, WriteConsoleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RaiseException, GetStdHandle, GetModuleFileNameW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, DecodePointer
                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                No network behavior found

                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Start time:17:24:07
                                                Start date:14/05/2021
                                                Path:C:\Users\user\Desktop\835f242d_by_Libranalysis.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\835f242d_by_Libranalysis.exe'
                                                Imagebase:0xa20000
                                                File size:933736 bytes
                                                MD5 hash:835F242DDE220CC76EE5544119562268
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Start time:17:24:08
                                                Start date:14/05/2021
                                                Path:C:\Users\user\AppData\Local\Temp\MsMpEng.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Local\Temp\MsMpEng.exe
                                                Imagebase:0xf10000
                                                File size:22224 bytes
                                                MD5 hash:8CC83221870DD07144E63DF594C391D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Sodinokibi, Description: Yara detected Sodinokibi Ransomware, Source: 00000001.00000003.228395143.0000000003098000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Sodinokibi, Description: Yara detected Sodinokibi Ransomware, Source: 00000001.00000003.228349911.0000000003098000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Sodinokibi, Description: Yara detected Sodinokibi Ransomware, Source: 00000001.00000003.228303607.0000000003098000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Sodinokibi, Description: Yara detected Sodinokibi Ransomware, Source: 00000001.00000003.228590751.0000000003098000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Sodinokibi, Description: Yara detected Sodinokibi Ransomware, Source: 00000001.00000003.410300982.0000000003098000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Sodinokibi, Description: Yara detected Sodinokibi Ransomware, Source: 00000001.00000003.228598770.0000000003098000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Sodinokibi, Description: Yara detected Sodinokibi Ransomware, Source: 00000001.00000003.228550525.0000000003098000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: MAL_RANSOM_REvil_Oct20_1, Description: Detects REvil ransomware, Source: 00000001.00000002.497457218.0000000000CE8000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Sodinokibi, Description: Yara detected Sodinokibi Ransomware, Source: 00000001.00000003.228482814.0000000003098000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Sodinokibi, Description: Yara detected Sodinokibi Ransomware, Source: 00000001.00000003.228442581.0000000003098000.00000004.00000040.sdmp, Author: Joe Security
                                                • Rule: MAL_RANSOM_REvil_Oct20_1, Description: Detects REvil ransomware, Source: 00000001.00000002.497262037.0000000000CA0000.00000040.00000001.sdmp, Author: Florian Roth
                                                Antivirus matches:
                                                • Detection: 0%, Metadefender, Browse
                                                • Detection: 0%, ReversingLabs
                                                Reputation:low
                                                Start time:17:25:34
                                                Start date:14/05/2021
                                                Path:C:\Windows\System32\wbem\unsecapp.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                Imagebase:0x7ff7b37c0000
                                                File size:48640 bytes
                                                MD5 hash:9CBD3EC8D9E4F8CE54258B0573C66BEB
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate

                                                Disassembly

                                                Code Analysis