Resubmissions
20-01-2022 19:26
220120-x5jhrsbcdl 1017-01-2022 16:56
220117-vf67esbcd8 1017-01-2022 16:16
220117-tqyscsbedr 1009-12-2021 23:18
211209-299yqseee9 1Analysis
-
max time kernel
614s -
max time network
613s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-01-2022 19:26
Static task
static1
Behavioral task
behavioral1
Sample
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
Resource
win10v2004-en-20220113
General
-
Target
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
-
Size
2.2MB
-
MD5
aea5d3cced6725f37e2c3797735e6467
-
SHA1
087497940a41d96e4e907b6dc92f75f4a38d861a
-
SHA256
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83
-
SHA512
5489753ae1c3ba0dbd3e0ce1b78b0ccba045e534e77fb87c80d56b16229f928c46a15721020142bbc6bd4d1ba5c295f4bec3596efa7b46c906889c156dadbd66
Malware Config
Extracted
C:\RECOVER-sykffle-FILES.txt
http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21
http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=I2Bz00rK6fkXUoQuur4TTgimmKtGOY7E7vPSTRpLMtdcJORjeK56V2Ihp8exfrrQF0AwekitMld5dPD%2B5OoHEoHZ08%2FHwP3loiz0s3FfYW5HByxYyOJDiGWf%2Fni4GArvDFUB8S7tz9KNDdlACA5ocrQ6P%2FfKvWKojMNC8Kb%2BwDLAqTsD7vTsaIqcM7nbrB3NixH0XfbvT96ix56LoZfj7SM%2FTneVcDLe7uGxxP1Fk8vBbR586TX4rlkTITOSaWBHHFDokbXzuj1S9AMgfWRNB%2FJAlX0wWUe9LjoTbzrxQ1JzYy%2BhO8HMwQHbg9oYbeu%2Ft2PGmialmLXay6qmFtG0sw%3D%3D
Extracted
C:\Users\Default\Desktop\RECOVER-sykffle-FILES.txt
http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21
http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=PuYbvuWqm82inTx%2BR30ukdymXFnJt5ik6Hg7z6tl%2BURykiNjZXqFnb0cJE7%2FUQf3wQddW5Omw9cjD8vt6w61RkTDZ08XcQKe4QikIKFqh5mQJNRZ8ZU%2F6mBcntlSdfVup1STyCgYT2a1%2B9RBetFcMG8tnJfAD6JewbD7q4AZVg%2BBDni4NF%2BVxCT9swjoesVRdX%2FtoEpD6UAkc%2Bt4urXr217P0vNTCihZV1bVznP3kSMRbZa%2BqNULSj8BqsHjXgudpCgcRrw%2FIkcmKFvtyJEUhRMRiQF2VL5kv%2FGO%2BjuoxmnR9yQR6iPdFkWL4r9Ib7GAMhkmMq2vuB4P88WtPREEvg%3D%3D
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 19 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\StartUndo.tiff.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File renamed C:\Users\Admin\Pictures\UndoRepair.raw => C:\Users\Admin\Pictures\UndoRepair.raw.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File opened for modification C:\Users\Admin\Pictures\MeasureDebug.tiff 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File opened for modification C:\Users\Admin\Pictures\SkipPing.tiff 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File opened for modification C:\Users\Admin\Pictures\GrantAssert.crw.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File renamed C:\Users\Admin\Pictures\InitializeSet.raw => C:\Users\Admin\Pictures\InitializeSet.raw.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File opened for modification C:\Users\Admin\Pictures\InitializeSet.raw.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File opened for modification C:\Users\Admin\Pictures\UndoRepair.raw.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File renamed C:\Users\Admin\Pictures\GrantAssert.crw => C:\Users\Admin\Pictures\GrantAssert.crw.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File renamed C:\Users\Admin\Pictures\MeasureDebug.tiff => C:\Users\Admin\Pictures\MeasureDebug.tiff.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File opened for modification C:\Users\Admin\Pictures\SetRegister.raw.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File opened for modification C:\Users\Admin\Pictures\SkipPing.tiff.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File renamed C:\Users\Admin\Pictures\StartUndo.tiff => C:\Users\Admin\Pictures\StartUndo.tiff.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File renamed C:\Users\Admin\Pictures\GroupOut.png => C:\Users\Admin\Pictures\GroupOut.png.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File opened for modification C:\Users\Admin\Pictures\MeasureDebug.tiff.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File renamed C:\Users\Admin\Pictures\SkipPing.tiff => C:\Users\Admin\Pictures\SkipPing.tiff.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File opened for modification C:\Users\Admin\Pictures\StartUndo.tiff 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File opened for modification C:\Users\Admin\Pictures\GroupOut.png.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe File renamed C:\Users\Admin\Pictures\SetRegister.raw => C:\Users\Admin\Pictures\SetRegister.raw.sykffle 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exedescription ioc process File opened (read-only) \??\Z: 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png" 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png" 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1748 vssadmin.exe 1572 vssadmin.exe 1768 vssadmin.exe -
Modifies Control Panel 1 IoCs
Processes:
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\WallpaperStyle = "0" 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1252 NOTEPAD.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs
Processes:
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exepid process 584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe 1864 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe 932 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exepid process 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe 932 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exevssvc.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 836 WMIC.exe Token: SeSecurityPrivilege 836 WMIC.exe Token: SeTakeOwnershipPrivilege 836 WMIC.exe Token: SeLoadDriverPrivilege 836 WMIC.exe Token: SeSystemProfilePrivilege 836 WMIC.exe Token: SeSystemtimePrivilege 836 WMIC.exe Token: SeProfSingleProcessPrivilege 836 WMIC.exe Token: SeIncBasePriorityPrivilege 836 WMIC.exe Token: SeCreatePagefilePrivilege 836 WMIC.exe Token: SeBackupPrivilege 836 WMIC.exe Token: SeRestorePrivilege 836 WMIC.exe Token: SeShutdownPrivilege 836 WMIC.exe Token: SeDebugPrivilege 836 WMIC.exe Token: SeSystemEnvironmentPrivilege 836 WMIC.exe Token: SeRemoteShutdownPrivilege 836 WMIC.exe Token: SeUndockPrivilege 836 WMIC.exe Token: SeManageVolumePrivilege 836 WMIC.exe Token: 33 836 WMIC.exe Token: 34 836 WMIC.exe Token: 35 836 WMIC.exe Token: SeIncreaseQuotaPrivilege 836 WMIC.exe Token: SeSecurityPrivilege 836 WMIC.exe Token: SeTakeOwnershipPrivilege 836 WMIC.exe Token: SeLoadDriverPrivilege 836 WMIC.exe Token: SeSystemProfilePrivilege 836 WMIC.exe Token: SeSystemtimePrivilege 836 WMIC.exe Token: SeProfSingleProcessPrivilege 836 WMIC.exe Token: SeIncBasePriorityPrivilege 836 WMIC.exe Token: SeCreatePagefilePrivilege 836 WMIC.exe Token: SeBackupPrivilege 836 WMIC.exe Token: SeRestorePrivilege 836 WMIC.exe Token: SeShutdownPrivilege 836 WMIC.exe Token: SeDebugPrivilege 836 WMIC.exe Token: SeSystemEnvironmentPrivilege 836 WMIC.exe Token: SeRemoteShutdownPrivilege 836 WMIC.exe Token: SeUndockPrivilege 836 WMIC.exe Token: SeManageVolumePrivilege 836 WMIC.exe Token: 33 836 WMIC.exe Token: 34 836 WMIC.exe Token: 35 836 WMIC.exe Token: SeBackupPrivilege 1700 vssvc.exe Token: SeRestorePrivilege 1700 vssvc.exe Token: SeAuditPrivilege 1700 vssvc.exe Token: SeIncreaseQuotaPrivilege 1960 WMIC.exe Token: SeSecurityPrivilege 1960 WMIC.exe Token: SeTakeOwnershipPrivilege 1960 WMIC.exe Token: SeLoadDriverPrivilege 1960 WMIC.exe Token: SeSystemProfilePrivilege 1960 WMIC.exe Token: SeSystemtimePrivilege 1960 WMIC.exe Token: SeProfSingleProcessPrivilege 1960 WMIC.exe Token: SeIncBasePriorityPrivilege 1960 WMIC.exe Token: SeCreatePagefilePrivilege 1960 WMIC.exe Token: SeBackupPrivilege 1960 WMIC.exe Token: SeRestorePrivilege 1960 WMIC.exe Token: SeShutdownPrivilege 1960 WMIC.exe Token: SeDebugPrivilege 1960 WMIC.exe Token: SeSystemEnvironmentPrivilege 1960 WMIC.exe Token: SeRemoteShutdownPrivilege 1960 WMIC.exe Token: SeUndockPrivilege 1960 WMIC.exe Token: SeManageVolumePrivilege 1960 WMIC.exe Token: 33 1960 WMIC.exe Token: 34 1960 WMIC.exe Token: 35 1960 WMIC.exe Token: SeIncreaseQuotaPrivilege 1960 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WORDPAD.EXEpid process 1544 WORDPAD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
WORDPAD.EXEpid process 1544 WORDPAD.EXE 1544 WORDPAD.EXE 1544 WORDPAD.EXE 1544 WORDPAD.EXE 1544 WORDPAD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exe3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.execmd.execmd.execmd.execmd.execmd.execmd.exe3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exedescription pid process target process PID 568 wrote to memory of 584 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 568 wrote to memory of 584 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 568 wrote to memory of 584 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 568 wrote to memory of 584 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 568 wrote to memory of 1864 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 568 wrote to memory of 1864 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 568 wrote to memory of 1864 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 568 wrote to memory of 1864 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 568 wrote to memory of 1584 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 568 wrote to memory of 1584 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 568 wrote to memory of 1584 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 568 wrote to memory of 1584 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 1584 wrote to memory of 1628 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 1628 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 1628 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 1628 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1628 wrote to memory of 836 1628 cmd.exe WMIC.exe PID 1628 wrote to memory of 836 1628 cmd.exe WMIC.exe PID 1628 wrote to memory of 836 1628 cmd.exe WMIC.exe PID 1628 wrote to memory of 836 1628 cmd.exe WMIC.exe PID 1584 wrote to memory of 1952 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 1952 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 1952 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 1952 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1952 wrote to memory of 2020 1952 cmd.exe fsutil.exe PID 1952 wrote to memory of 2020 1952 cmd.exe fsutil.exe PID 1952 wrote to memory of 2020 1952 cmd.exe fsutil.exe PID 1952 wrote to memory of 2020 1952 cmd.exe fsutil.exe PID 1584 wrote to memory of 776 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 776 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 776 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 776 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 776 wrote to memory of 1956 776 cmd.exe fsutil.exe PID 776 wrote to memory of 1956 776 cmd.exe fsutil.exe PID 776 wrote to memory of 1956 776 cmd.exe fsutil.exe PID 776 wrote to memory of 1956 776 cmd.exe fsutil.exe PID 1584 wrote to memory of 920 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 920 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 920 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 920 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 1796 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 1796 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 1796 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 1796 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 920 wrote to memory of 1748 920 cmd.exe vssadmin.exe PID 920 wrote to memory of 1748 920 cmd.exe vssadmin.exe PID 920 wrote to memory of 1748 920 cmd.exe vssadmin.exe PID 1796 wrote to memory of 1752 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1752 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1752 1796 cmd.exe reg.exe PID 1796 wrote to memory of 1752 1796 cmd.exe reg.exe PID 1584 wrote to memory of 1664 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 1664 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 1664 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1584 wrote to memory of 1664 1584 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe PID 1664 wrote to memory of 1764 1664 cmd.exe ARP.EXE PID 1664 wrote to memory of 1764 1664 cmd.exe ARP.EXE PID 1664 wrote to memory of 1764 1664 cmd.exe ARP.EXE PID 1664 wrote to memory of 1764 1664 cmd.exe ARP.EXE PID 568 wrote to memory of 932 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 568 wrote to memory of 932 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 568 wrote to memory of 932 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 568 wrote to memory of 932 568 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 932 wrote to memory of 1956 932 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe"C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe"1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --help2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -a access_token -v -u2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "wmic csproduct get UUID"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get UUID4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2L:14⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2R:14⤵
-
C:\Windows\system32\cmd.exe"cmd" /c "vssadmin.exe delete shadows /all /quiet"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "arp -a"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -a access_token -v -u -l log.txt2⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "wmic csproduct get UUID"3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get UUID4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"3⤵
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2L:14⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"3⤵
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2R:14⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f4⤵
-
C:\Windows\system32\cmd.exe"cmd" /c "vssadmin.exe delete shadows /all /quiet"3⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "arp -a"3⤵
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
-
C:\Windows\system32\cmd.exe"cmd" /c "vssadmin.exe delete shadows /all /quiet"3⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f41⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\log.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\AppData\Local\Temp\log.txt"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\RECOVER-sykffle-FILES.txtMD5
0d658e7ec57469bdd6711ebecfcb85ac
SHA1a32c094eddcb84cc5a62c4bfbbecf156396a6d86
SHA256b1a2a478b15f1c7c954fe0f5b800ee52938de38445fc8d5d9c75ba28206999b6
SHA512005b7a54a558bc7dfcc79a8fbe291bb40d7d37de048d2bb69919f89176f622f5d4cd7fd5590affba729a9a88e3c8d9771902eb5b0c0247e00bf2a397e7bb8dde
-
C:\Users\Admin\Music\AddDebug.xsl.sykffleMD5
5bdf3a4fad84a39180502aabffa24cb2
SHA1849baff49cfb536843c6d14152388542113bdd3d
SHA2568b66363a0349052bc6d9bb13439ab3318159ce901064e484c676ac3e630b3298
SHA512a63b7e53ac4d968028afb144089a344e320fa9e3e17557685d8395d0d61c8abed4d594d9e4ec7509611040032484b05a979383ff4895a48bd044226022685992
-
C:\Users\Admin\Music\AddMerge.vbs.sykffleMD5
736d6ba7ad422880406bcd1fea8643f3
SHA152898943140be348e1cae9af0f19aec8cc590911
SHA256095e99ab7643f3cb6e54c7506ee332d00965c2d2ff04e551a94806e8f4f58379
SHA5126a3676ef775be61d8199c7786a9739d7e3bd9cf629cbdc7e9e056d61e90a8a3691e5be1aba3ee076d3f17b21720db12651e1f01edd0b34717e84edfeb5ed8013
-
C:\Users\Admin\Music\CompareSkip.3gpp.sykffleMD5
0ccc5f7305dddc338fccb16874de42bf
SHA144b05c3c4a3311cfb060c6f9fb865650d6e703d4
SHA256e48dd09d2f028546f6146da8b82a08c1aaa8448600b5f0107d6ea8da924b2ed8
SHA51239e836c04b8550a1e02f64f031ecef11a877e76ac372d1ac84a110a81e8b41d93d0eaa65dfeb5f50db44feadd3202ce0a8fdea5d90d5e9ae5d77cf2b32066160
-
C:\Users\Admin\Music\DenyMount.pptx.sykffleMD5
a8d4f1124f84d18463ac66e24bd193d4
SHA100f500f015e71c99be730bb1fa0f8d9db7c021c7
SHA2568c7b083c34e3c57b363d7c30ece1b6d44b72eb56dd9e53fbda42fccfae773a0b
SHA5127ff485bd74fe4a85eaf11fab2f6371806d6c2f00f4801da536705bea2aa222ec8af717f778c69dbb2d1062dc68573d17065487f9ed0ec77bdcd57a037106dcf9
-
C:\Users\Admin\Music\ExpandMerge.vsd.sykffleMD5
151d6b6a83a73e12743bfe1202ee91bf
SHA10e18490ae8f521a4ab6d2e1f84aeefb65d0162f2
SHA256dc1bb5ce6b0ca9dea96950d6af5b98ee21130320bcd084ecc705a78d60788db1
SHA512816ebce2a3a658454e78cbff83e7cd4d7cb06edd950ace6be32610a6be95cf87ad62a626532efe13a42328e04c36f1a863cec50d293edf468502dc03da319e38
-
C:\Users\Admin\Music\GrantEnter.odt.sykffleMD5
0763461bab59120fa453504b9d0041ba
SHA1aedefe88e047aff4097d21b341dce2791d613c91
SHA25663db817f75ba8a6739e0f94d567954612933d2ef5a79aa215905f7d4a3fcbf2a
SHA512b076271584afe872590cb2227f39c37087a3ac4311f87e8405de94447c699c595f54a6670a2f91831e7c2148d05db916206cfbd0b457c892fd512ba66493fc8c
-
C:\Users\Admin\Music\PublishDebug.vsw.sykffleMD5
f068ce0b5dcd5fd0046323b04ac3a241
SHA179d5fa6276dae33584fc694b322a24d360a1668f
SHA256dac2015531d910529213ed4f1c44606d094c312378269d7f051d3684738895d4
SHA51257feb4be97fc6e6bfdce2ea0c4dec3f3042dc36f520f95c077cd3a1ec7b8528dc78b8c1502abf81e12cfd38635507a7d262fab58d14425b10587855a24f10cce
-
C:\Users\Admin\Music\RECOVER-sykffle-FILES.txtMD5
0d658e7ec57469bdd6711ebecfcb85ac
SHA1a32c094eddcb84cc5a62c4bfbbecf156396a6d86
SHA256b1a2a478b15f1c7c954fe0f5b800ee52938de38445fc8d5d9c75ba28206999b6
SHA512005b7a54a558bc7dfcc79a8fbe291bb40d7d37de048d2bb69919f89176f622f5d4cd7fd5590affba729a9a88e3c8d9771902eb5b0c0247e00bf2a397e7bb8dde
-
C:\Users\Admin\Music\SaveWatch.rtf.sykffleMD5
2b3b5e64e3fe564e3b4a0341f67a8cd4
SHA14f2673a2c71a04089943986d80f2e1e7ded16e7f
SHA25638c6da4f0a15915faa65fe9aa1caecfaa5bb09937bc981821435f76b31da629a
SHA512f8eac412f6bae161951bb448cce62391cd04bcf4e2441392283e64b76fa55027e403e24a86437f6fc718d7592c3e106ab9ff9eb0d5e7bbedbd3030cce2c81208
-
C:\Users\Admin\Music\SetLock.mp2v.sykffleMD5
be90320471a147f50eaa11722f123f6f
SHA1bff0654647cc6bac3c5a88fef6d891183598703e
SHA256795c3fc03fba634abaad96975b75d5607bbcf407dfce661d1f2a190f1488a4b6
SHA512a1736dd07ef82a3cfbe817071a32b405291888289a6edad016f3fa3c937d1e26749a137d74c6891605d094ba8e529dec13052bdea18887bf49770f8adfdc18c1
-
C:\Users\Admin\Music\SplitEnter.xltm.sykffleMD5
8f411216714da21d57783b48fa019b87
SHA1af423ad2ba4492749d1d5284e433d56964f98216
SHA256c519192ea32ca4ea9c6d613b43747dc71d5680b27741275f01af4782630a35db
SHA5123724d08afe591d5c57efc716a68ac0f2982c913fa42f3d84a38efb0010e9ab15e6418a39f522a8cc4513c474c42e04c8c4383e9cb9a838b12db0399a7e18f2e3
-
C:\Users\Admin\Music\UnblockSend.vdx.sykffleMD5
78fb8315ee81582bd5379e3edb0565ee
SHA153413284e675ee0b433af43c51d50640a5bc581f
SHA256444ce20a7f2449777a19a33a88ad21da8dda5b2108ff4f4d0373fb7eab4f8363
SHA512111f7221bc2e9917b16353b20b0399ed598fc458b1542e9abe19ff3a6fb13908203c9d10a734cf292fe733c25e76dd588662acac98faf8e23e9b4a18be740146
-
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.sykffleMD5
5bde09bd1edf6158483436717a414e9a
SHA1d942bb97e7bc0fb58dbe41da22e5d424040d3a6a
SHA256dad529d3c0e978b6da03521e6656b440d059fe33ec84f3d88cd7503d807f62b8
SHA5123b08848a09d7049d739c5f2ad492e37aa683e28c2c203ae27a8578871d9ec8dc54db1c85a886d4e5069b5ebbadd18dc2db1d881a59e59d67decec74af1d2d749
-
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.sykffleMD5
e63c75cd676b1d8ee2da1919b1c57ed7
SHA1ea2df8b9a7011c0a224ba0f423719622d7b25dea
SHA2569c068bc8a13c55af462f83002425995d4dc1277d293364aff6cc74a72ce310ae
SHA5120242bad6bd0c6a135467c2445000ebb9519999f862c50624a72d249de5bd119dca5a2515a47251af1e03feab899ecff60c1a5c8d1c1f0b99d027311734d6b4c2
-
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.sykffleMD5
72f05309a2064117ac9c6e2ffba2bd92
SHA12f2a6cfc4956664cd755d02adf1c0cd3b0d8ee8c
SHA2568a1a575e9b7d4f30220b31708785e9665fe91e6456c693257e9e4c9a0e41fe2f
SHA5124e55e557dd334c33c3ad691e803d10f92246b145db4cf6056906b6a91176a315923d5a96650ba4c331ac52698c8589bcdbcca7090a75e4bf40fc5c64b46b2397
-
C:\Users\Admin\Pictures\CheckpointUnpublish.dib.sykffleMD5
373fb1f012e10b174d7c4ed0b497db08
SHA13a2922b43bdea48ab54c85d6e05715b1cc9f9a1b
SHA256ea8ad290d342c06b54c50b1b00fefea4e6d5f5e66e8c1fea878098ed13618a09
SHA51249b03d9ad014bcdc24fe91d8167c484ae562382deee0f058f7b97caadc1bea4938761cedb4d0ef3a9fe1307c119dc499913b5c8ec8b37241bf003160dd2ebe4f
-
C:\Users\Admin\Pictures\ClearPublish.jpg.sykffleMD5
c2390f4fa45c39f7e3924154c411fdfc
SHA1cbf74a4a6d1bc6052979db36b3150ffbc18b6d93
SHA256cf6e8b3d7a6c241f4119515ce61ae755560d88a6e61f76b3f082c3d30ea5b779
SHA512f004ea5be715835410908d6345d809311612bb164ee70d53c757e6b589c0b116266bbfb34370c2cd305de5b0ceaa7bc702048a6b4c191c82d6de3cba91e40dbd
-
C:\Users\Admin\Pictures\ClearTest.dxf.sykffleMD5
a6bfa133ae019161168d8ea5ef9eb0b3
SHA16bd2cf8b7c4ef3d0c06c975ce48909f90dac241a
SHA25644d8701425255a3c00788debf9eea53841323a1c0f891f8b937bfc6c32c9a84a
SHA51254d5d20f4e93d5d8228e29eed70d4242e27e663d8548863f81a6e8763daae8feae2622eaf638ffa8f0a6ae253a53405790b8fa9f4ec028dfd0bfaa5e07aae396
-
C:\Users\Admin\Pictures\CloseReceive.svg.sykffleMD5
dee8b3fd54009ebc201f58ac49d38d0c
SHA107777aeabbb3aa4fe5e569f26491aa9eff6a2ca8
SHA25681d5d0f9a8f2cd0e85de1d15151918ead37d95a4ff67112e2ff9f89469013938
SHA51211a44b977ace1f80d9333b72bfe223ee090dab7130d550a45437aea53c2cf53847982ea68a609711790c1de6492aed6155d11a2b0a42a048ff7809b7344f0b76
-
C:\Users\Admin\Pictures\ConnectExit.jpeg.sykffleMD5
dd055722cadab27e45333da7ac9b663e
SHA1827b8615818cc4f647848c72eee8ebe8988c0ff1
SHA25678108a08a4823c2ddb6e4d1b0e6ff637aa918a3619a95b260cfac84d4c988a4c
SHA512d4f34139bdf4075eed9287827a6117e1a3299e53195262f3a192556cd7a8399ebaec7a92219485efd4f850c38d7aaa34dccebaaa4349d4045a37b73f154fca94
-
C:\Users\Admin\Pictures\ConvertFromReceive.wmf.sykffleMD5
acc25d51214b8a8ab3c1ed1bd122a927
SHA169bd1fa09875cf03d5c1a0c5ed094de5cc870ea7
SHA256db73ac2d734f5373604e8b3f99a49552eb04167a88aa0e5df1783797c7327cca
SHA51246a090d4ed851e0f1e761ea78307800ae5b5fa23848be41141198c3d3bd2d06fc62b4a185bc53b6ce7daa484359362b28bcb455088a7175cd47582a785a9ea5e
-
C:\Users\Admin\Pictures\GrantAssert.crw.sykffleMD5
88a4bdce843650c0e88d371bfdfc05ae
SHA11e6254f740405174a96613a3360c05ed0f48948f
SHA256d01ca3966d1b69511ace3ebd365ee75e90a98348fe69ccb090a7832d5ee0af8c
SHA512c93cc775b4a69c7b7cf86bdb6d1d04bec9c69c9019a6e04bc1f29e9417753c844116105abac2bfe363f2208e7b77b0c68bca14586878e94a9e87344fbe9b04bb
-
C:\Users\Admin\Pictures\GroupOut.png.sykffleMD5
a905738706129cb45fb428b6cd0d0087
SHA11bedc0bc3d329a05c3bc0669f9a7865751f8b685
SHA256ee6bd8821ec7b8dd67ac69a7214b3fc66c84a7de8ef92cf1a26bd5d498c49fac
SHA51279962a65461f37a5e24571a3ceae2f9f013354c89879d99e06173c5b93791f5c5a57217fcb3f319d6db55b9ea8ae22b8a6784e1a9945d0b516717d1c8e4ef4a4
-
C:\Users\Admin\Pictures\InitializeSet.raw.sykffleMD5
29290082bea123f943ed4b362b2edad7
SHA18c67d81f00c59fc8c71b88a1594b85511aa94b16
SHA2562e73987266751af9f5b3f7d640605c540c27d8f2a6f5933e5694012545b08251
SHA512b3050f255872f18ec24e606ae4f9edb3ca28d5694e9b66a84ea7e5ce3985d2a1efc99c5b6898167b592b4bdfe901c03864f891dededb50170f74fe97b33e8cbb
-
C:\Users\Admin\Pictures\LimitUnregister.wmf.sykffleMD5
4cc66a898a10ee1d77402f260d596fde
SHA1bdc2f95b6037c99edec4b9cb416652ecd4cc3e85
SHA25620bf490e7c2bce8de7056a47eb39eb2c051babe896b9ab45d6ccd1fb895fb496
SHA5125cd6b3e0d1a6e62336a67832ae79584928f35366870688c896d2b6616648bd999f30337b974d093c11da5d96ed9f0fa85d99ed7c8b8fb18081c1e51df41deaf7
-
C:\Users\Admin\Pictures\MeasureDebug.tiff.sykffleMD5
45de53e0a4901c12f856f350bd7f0501
SHA14dcff9ae278f469fd2322345ee5d587400b5f09c
SHA2566b014ac34fb9a98c013a757218b5c6fb81009c43b7018a081606b37d1ca6b677
SHA512ba14d25e825be3341f9a54d6682245717e2b3a1bf147b0c6a684e12a784f7080de5906222816bc025cde90b479c9475f8d5ef2239ccf2880c13285613555abe1
-
C:\Users\Admin\Pictures\MovePing.bmp.sykffleMD5
96fb7e0d6f26329c6842c6130c052e40
SHA1ee89f21594557722aabde94e34b2a1c08a1ff757
SHA256df46a6edb0c2d02717bca2cadf56dd9800bc867495b123a03bb7e4742f79d0a6
SHA5121e0b981771b089af829da71d7a54a1f780c95c8512d5e64065c76624bd9d662f5b9cefd8af4a164a040bd292fec930a13cff91146c38bab740edea6650b90f5b
-
C:\Users\Admin\Pictures\OpenCheckpoint.gif.sykffleMD5
8784ceba1217de0eb1d329965dd76889
SHA107569958f72cf1152dcb6d35c8aeae03283d8e60
SHA25666f785aefc2716610e78fcd1fed7884dd93af514bb6f29a7ec82fe4feb7ff04d
SHA5120cad5dedb159be162e5565872f53a6b51f23b524e926be45745ccf3fe977c58babaa4352aaa354f6c75bde6e5e3facdd8c4286a393abad62b2acdc5a47f85766
-
C:\Users\Admin\Pictures\OpenCopy.svg.sykffleMD5
adf3301dcbcd4ccfdb916ec077898b11
SHA17753c19b00d2bc25ee9f4ca5c48fe6211fb7fc15
SHA256576bec59549595c750dbdda357d1fe68cfb5ca2cb9d1545378a49696bedd6729
SHA512c1debd6055f322823917567237216acb291cb51a6e2c53d84848092b17fd7d68bb069e1b4f0d30c7ef21f3ff125b838299058ffefbeccf81f70ff2dccbe90562
-
C:\Users\Admin\Pictures\OpenSync.jpeg.sykffleMD5
8ab1214e5050b2ec1890d5260284f296
SHA1d6274246a4ba0d70d994ade52ddd1c9f107cc5e8
SHA2569ddd068b2e576e6bf5fac181da3231b8cd2af8647cfb3ce137cd11d5885b1e73
SHA5121bac956dd07ba53aaf65b8be502fce2e3e71958d1980d16d996363a8458b8743f9ae63e4976b60f8c51d24d84438df36d2dcb1d2f03c99accc2608137823c25d
-
C:\Users\Admin\Pictures\PushInvoke.dwg.sykffleMD5
8e193d3c6848e9d276de6bab85cd847f
SHA106b2df5125f3d2451604b3379d42a70ce4296478
SHA25637d8d3d93f70449d751ac0b2b3852bb524a20e73a97c146267c2913ae0e99c69
SHA51236a6f5a60aa331511b2caa3dbc124aa00b2019fb119c45d5ddccf37441b714764ab4c63f7f27577a9d00d7ab3b9c030dad7dc41f57d43b5f0cef878a45b1c316
-
C:\Users\Admin\Pictures\RECOVER-sykffle-FILES.txtMD5
0d658e7ec57469bdd6711ebecfcb85ac
SHA1a32c094eddcb84cc5a62c4bfbbecf156396a6d86
SHA256b1a2a478b15f1c7c954fe0f5b800ee52938de38445fc8d5d9c75ba28206999b6
SHA512005b7a54a558bc7dfcc79a8fbe291bb40d7d37de048d2bb69919f89176f622f5d4cd7fd5590affba729a9a88e3c8d9771902eb5b0c0247e00bf2a397e7bb8dde
-
C:\Users\Admin\Pictures\RenameSend.dib.sykffleMD5
82901ba4efbc88f927282c910f734e39
SHA18c1df6527df1a52e20e09b3bf6de3b573c4ea22c
SHA256f6951208cf5f1ff296d0774cbeee5bfa1b206f3ca9e139d675445042c8a02f1e
SHA512ed843c7d05b2772ac939d3cdc7d94eccd992c5cfe1dc8e514ac8d2fec348b949921add7be631ce774db5467fabf110445e28a7b7707bd621f5af4862f95c4f1a
-
C:\Users\Admin\Pictures\RepairHide.pcx.sykffleMD5
77f53c70e8877f743662af241da92e37
SHA17e965ed38c89c969be053f8e56b08e4b7b3fb4d7
SHA256ef686b0c59b967961a1a0646cd2eb94b14dc0b1d2fcb79dfdfc1cc84bea5832c
SHA51248d7f03c4ccf262fa1801225913a8f33edeb080229238a625fefaf28fbc2fa04e9907923dd965a82288176c363720ed3d8bcf28ac5869c297a07874e47e8cc0a
-
C:\Users\Admin\Pictures\RepairRedo.cr2.sykffleMD5
59a4d6d2f3f5f1d7bfbbc094ad5f32a0
SHA160b65a2ff4a8e3ca8c4f3f770e00b80de90c87ba
SHA256269fe03f84afb0abb652b2024f6bb3cd61169ddfae2d74f10998c13a53f8b543
SHA5124285f067d8f49648e24d4e407320a466a089f58c1e7b9f9a689191eb4360a78619365bdacedff2e9005bc790ee2c5dee4a514f29dd16e0c2e7632dd8d005b855
-
C:\Users\Admin\Pictures\ResetDisable.svg.sykffleMD5
27c0c8ecba8c74814e5c670249c1bddc
SHA162e2d818584c74c1815d39b4b48d411a63a28c28
SHA256848bcebde889f2bafd675b740b9d7d49db5613b21d0aae707663a6ee27a4b54b
SHA512e152e42762ca1addc0473b388221efcaf00d264c0cd53631a9263d863fd3bb6036b260d46ee7590bb5a0980acedf1ba795c021d60a27c7c469dc496724adce3d
-
C:\Users\Admin\Pictures\RestoreConvert.svgz.sykffleMD5
5cfa602819cd2d7a65d29b05265afc0e
SHA1946fcab7a741c5d1a03412349321553277547cda
SHA2562e93b317ad1db1ec09711b92bdd007614b48a641eebe0374414654b5b0b291a2
SHA5123028ce6b9295ab821cb55834a4c0182b853c1c51589a10db7fdd5584a8cf93bd4325de4d784de298434e7d9886683936e6e72d955304acb71b847fd30c39f4ad
-
C:\Users\Admin\Pictures\RevokeApprove.emf.sykffleMD5
5ef78aa3cb0c4fa52b5f0af875320271
SHA16f00fbba936f3991f4dd4a53b6560b386f332b62
SHA256755e1f0c56af68978f4e4093231d962d9d7c5e6ac3b5629f94f747c730ad4dab
SHA51269da7ed728debb6ead1433a914c62a6d88803242f4e0739f81d81817e20a15afa8bca5a597baa471806234cc608a80d9a0375bd103383c225004705c21518812
-
C:\Users\Admin\Pictures\RevokeResolve.dwg.sykffleMD5
a3750911cebeb17433f46add46346739
SHA106341f05c6d1c23138e071434e48addbaed9022b
SHA25673764e8096e38ecbb2cb1607f4a5f337d400e6470150ab8aaa6fd15226768a33
SHA5125845a07d5e097b376c3de2e8acfa470bff6d975469d930519119037bdd0a6f811d961778269f693e43a13eca40fb8a65869920ec9ecc8c1bfea15eb0a7f3df72
-
C:\Users\Admin\Pictures\SelectConnect.jpeg.sykffleMD5
2bd2290dc46e9e4cef155440bda811bb
SHA1c5bcb0b7379c3d11eac005e136c2a844ba62c2ff
SHA2560a3604835f5ea1b7a7c4a1e554b28c6bd7fce00e0c151f7068d57cde75dbffc6
SHA5120b91bb6a9b9364d17a75369d400c2ab80c32901c9c41e0fc5ee268bddd783277d76b6906177bfdfb1a50d1fdef39e43450e27377d5c9e47275400c19684b2772
-
C:\Users\Admin\Pictures\SelectDisconnect.dxf.sykffleMD5
64e5413bdabdd77fcad6748fb0e70f58
SHA113830a49f8ccaf3be01d7d36d23d2b11e1fd3d51
SHA2560b49a534859a78bac558ee5a1059ce28bd89ce6a0a5b825f55bde58863038da0
SHA51253329f110907125a01b198f50af9228e13aca88f9ca8aef9f57fe2754e1e69d63a4b65de113a058cfb320dc1a5bc965b53d459f1a4b60f6d4f2088aabc607b68
-
C:\Users\Admin\Pictures\SendConfirm.dwg.sykffleMD5
26dbfd637c93eead96acac6fcecf64cf
SHA1d29715b372b821e7622e5c542697cb551fc58773
SHA2562fe31acf73d2e7b7b84dbf86d2aacf87db18903b275194cc044785167b17531a
SHA51209492b41756de99f5aa8b87306b21f903cff7cafeeb2abb4d786f6aba5e8ca8900bda35551bb59be0e5d43678e409360677f6103745b0ccedef541d6d6d4bf81
-
C:\Users\Admin\Pictures\SendPop.dib.sykffleMD5
ec78a97d2bac65a814d83fb800cd0ac1
SHA1ecea5d48e8bcd7dc4ce644486cb5ed8f31b0daa8
SHA256dc85527d1ad25aac58aaadf7f637f9e2506195849491902a1553c022750756c1
SHA5123f26532012e9db0f75d2c3489e075c4ef6ce39f61e6b3bf0b74b90e22385b2af469708d51f1b20fd372872458a6a996865051e1b1c80f41e182636182a11d605
-
C:\Users\Admin\Pictures\SetGet.emz.sykffleMD5
487d35dd9cd18d038ee5b058ba3b7b98
SHA164debb92e3726fab3424e3d0d79cc64c7d3c87c9
SHA2568145dcdb8eb3dd9d23064fc5a31cefa7a225eb6b27503f5b21252d5f9d05ec7d
SHA51286bc6601fd078e655b12f4bd67f8b45ce808780eaad67cbeda767c11b09b84e7fb5d0000e446edf34c0397c582a8ec816332569077e33165eadbf0ed0e9af61d
-
C:\Users\Admin\Pictures\SetPop.dib.sykffleMD5
0477c679a8442f796a0326366643a1a3
SHA100ec49404478c624d1cf0dc6ee4810dc6f3b05c3
SHA25672183710d79595ee5318aeac2045a5d84b5f6a5250e35dede7bda05d37924940
SHA5127085419d5d5edc0ccc5822e5b4b3d545689ee726ba9a51336555c44c5689c221d5733eaa0de2ac26b4c3fdd6e6ef234c53ecda90f7e31073c20122227e1b9f3d
-
C:\Users\Admin\Pictures\SetRegister.raw.sykffleMD5
d4efa4caffcfc39c67969698d7031633
SHA1f3780663bf6588c038ac7a528a4da7cd1399a51c
SHA25666eececa7497c91557866660cd824d44dd6a1f35d1bf211b3bdf30df6d507277
SHA5127b6199a56d920961b9beef7768e85521d9846c6a1a70f5d3c90041e4292b94452abb7ecc899917bdad260126567134652e499f5d9e626c17c81a44826ada084b
-
C:\Users\Admin\Pictures\SkipEnter.emz.sykffleMD5
6c070fa2d3d9e8e57d5ad438ce48b357
SHA1be8c1a5d2d01bbfed806806dad34f07d5b898a61
SHA256966c18ded7a37149c64ea9fd305a2db5b3de3779250c63608a909caa2d4ad0fe
SHA512a9b70d3b1190fcf58cde6454b9b58f94f22501a54871e0cf551a105ca5e8088fdbc9f6b0796476e2a1dbba29da9f655b3f8166c40b816d1da3d8d186832495c4
-
C:\Users\Admin\Pictures\SkipPing.tiff.sykffleMD5
405795a328b50b5c2335211ec6c35131
SHA16ee0388b10c9961e3c73191327f4ee76e3d0308d
SHA25631a45c29f377a862db3f893f1a7e6afb6204eed8818e04375444ac9ad88c0c6b
SHA512b1458a55fd49e9c6a1640e308c04f92fac53bd1fafdb1727abc123f5cd02f3ac698456a9666a923667e01288364030e7728b85a1c5250cd53e09a4ebf0606596
-
C:\Users\Admin\Pictures\StartUndo.tiff.sykffleMD5
29a384b78b3ed14514dfaac28e9b0d2b
SHA102aa5aae0e404fd60acec6d04f8d142ccc9c51d4
SHA256e64097d237334f56f8727ba7b319820065553b00464aa9f324446b85aeedf524
SHA5124a5cf81e88815260251db488f4733e311469a8065e8f8ed4ac96de29bb4aad40d49542d42c716a10b87fba2f5d5a9e025d914e27b7e707475f579df534fe43a1
-
C:\Users\Admin\Pictures\SubmitGroup.dib.sykffleMD5
cb7e8bce98694700fae35582c2d34356
SHA133052173fd1a1cc0c078350f6719fe66dfe745e0
SHA256b4f18302669a304e60b28e345387756ac3fafa5046a5403f6781b9403022e2a4
SHA5122c11a3bc3048cf7a581ccdd3f1099846b5da55e6b63ca83e9be680fded1bd5eb7cd52a62ee7a03ef047110022ea6035c4265da4982f139bdd0ca6a926670b9fc
-
C:\Users\Admin\Pictures\SubmitInstall.wmf.sykffleMD5
c2f88560e13e7c32791ae29278004e73
SHA1664b7b0d32b2bbdec1bb96162a88c8fc658f92ba
SHA256f75ff1344f8ff5a38d94edd20ea48e581be60bba6e8ec29693676cdfa7c32471
SHA512c7969e94521921f7427ce64cec6b131b2133584a884d5af0b1d245f2d8bf3d19cd40b336d1c9ab5a1276ec4ac934e38aa498e260e36aac22f3b48cffef343532
-
C:\Users\Admin\Pictures\UndoRepair.raw.sykffleMD5
e77f01bfbecec8c385a9993e13aa4fc0
SHA12342a53ca5e621b548b990cccf5dbd1aff3b9e81
SHA2563a7d8bba9fa0bc83fce412d42ffe2ceff32a3a43363ed6219a4e89e30694235d
SHA512f7e8fd68a21c70b5b8b610d1afd35bc6ecc43056ce76dc7e7c5e447509ca15720b308ce7af49ef87fe0a3c25e3658c665b6340fa34921bcad964f95656d20e6c
-
C:\Users\Admin\Pictures\Wallpaper.jpg.sykffleMD5
9edd95086b17f83a6ddddb661650a3de
SHA107845226b1826524e7cbfad9d76b1a8ba543c374
SHA2569ca8ab70a3bff0a29d3cd6646c2ce6db2fba2dadd6a106825692bfe8639c865a
SHA5122371518ba85041418b40d7e63c4053eb1ffb8288770ceb2a564d4f32570eacd0e05ff7cab65d0c4caac6df1567fa930cab2d05f9f1b2b2ba958009498c074f79
-
C:\Users\Admin\RECOVER-sykffle-FILES.txtMD5
0d658e7ec57469bdd6711ebecfcb85ac
SHA1a32c094eddcb84cc5a62c4bfbbecf156396a6d86
SHA256b1a2a478b15f1c7c954fe0f5b800ee52938de38445fc8d5d9c75ba28206999b6
SHA512005b7a54a558bc7dfcc79a8fbe291bb40d7d37de048d2bb69919f89176f622f5d4cd7fd5590affba729a9a88e3c8d9771902eb5b0c0247e00bf2a397e7bb8dde
-
C:\Users\Admin\deployment.properties.sykffleMD5
5c5d06481173454f2738df6701edc463
SHA137ec022bde11eaf2ba4ca80e13070921644b756d
SHA256ac3170f6b577b672a9ffd18c2ac854c7e8db81658e741973739d716c72bbe4c4
SHA51236ed0a33cd28a44a17c24174a71c854a502d6c3cb50109a49a38f76811ebe1980fa158face59ec1a50fd8e566ebd70fdad14bf9dc2f4ac3a6dd7528c4aed73c3
-
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.sykffleMD5
593a7a1299caa73a340e2e12dbe3b61a
SHA1ee4db9df3a95e40395072b1ae30cc864aeb73520
SHA256f656de3931b64c6ecbbee31b3615f975ef393f3cc0bc5012ad7aaa3173b19282
SHA512ca4bdac916be68b28ffa38a9e7a6820802c36ef334a0039aeb1f0eddefaf8462680efbd4b5f70f75f428d370cb9bd9c391fe8949822bf323a001984165c0b2b0
-
C:\vcredist2010_x64.log.html.sykffleMD5
8ad63f870b27a09b6999a8cca51b1aeb
SHA1e80d341bbdb47747ac9c63e3b27c59337ba17deb
SHA256e1b6cf6eb50a7743b106834b809075b56bce85311644a926e3ebb2e47a0cc6e4
SHA5128575d3268ad964bbcfde05aa866ec44b0fa5a9e0f746a26da821a0cfeac767fdca2f38a90987d94da14e444703dc6a587aae92c5b458e84a76b07ba7a3171d27
-
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.sykffleMD5
171bed31ccf1854cd4879d38d08bc42d
SHA14727630eaa0d8659b0229644c45b41d39371cb0b
SHA256c0c604c38222734d826570e6110a1c6dd0cc75612a132d477ce468b72e6c7660
SHA512fde47e99d541dc26c9961066291a18964c1c4cf0c2330e838dbca4fa54cf36c3d773a6c43f0dfcf802ac3731e70e245264de79c967c6650d70d35c3e26ef7017
-
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.sykffleMD5
6fec2c020bf2e657efaf0a604af51546
SHA13e077b4b7674d1dd9019ca7bc590046c8e31effb
SHA256ab9edc843f3e5182407a1f0f80de25df44f84b8238ccb110f987e0d66ee785e5
SHA5121b295bb79355930b441707ac361132f84abcd732fe57f8160fbb6db995703363d30d482be21ab7aebfb56ad5ef6722ecf826d91708bb72112fbcfb0391f14e1b
-
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.sykffleMD5
316cf124b7009af6551eece0f1254c5a
SHA18692f67defffad01a36d4895fda26a5fe6288636
SHA2561a545528b5801987926d88dd5b04a8a8e8af929e19972d85a31220fa1962801e
SHA5128d73ee69a67420c5c910acad9012a88344affab697e1e34699c97193a2b83b0d456cc365c531699efc7106481061a926c963255f55e12509ca3e9404260c6e4a
-
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.sykffleMD5
2349f27b103b1dba9c773ddc418431da
SHA174ffae611a8367fa01ea7624e33f336e5a55c9d3
SHA256a5d78d6ccd7e720e0e3be560db6e070a56041a430bc7a1e16a61f2d8ae5bdb4f
SHA512ccb3edda05e24e7ed6a7e38d61fe6c0985db5593ffd92d5124b78a5059712f775dc49f391a8b96903a6c864ba13cc2f3a31d8049f6e6d27f407276598dcfbf04
-
C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log.sykffleMD5
93e7dbdfdbb44edd4f65a81386ab23f6
SHA1cb96d3b546466c1726d34b299508402e7b9d5539
SHA256f9b497e5597d03f001e9877cc4a5e840ca751ac4f9b3df901661e5b3b10f1475
SHA5120f6ef5dc42750c64b20944f6b915dfead542e3eb11b29faca327ee95ab6ed78f550103e41507b30cfcd035477c3902adc099e3870ee63024228801013bb9c1a0
-
C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log.sykffleMD5
8f8ae7a71862993773fde39bf37f9602
SHA111662ca5eb0e3136cc026389f9c63b40d1643a65
SHA2564a11c7c1fc337f5ca9d491022663367ce46e3d8c06c84626b41b8fcb385e814a
SHA51280b386d1503c2491f40332b8d356e9010891aa02edfbdd120b9584c040c1c31827efa77bf32b03828d1b4834fa39ca9d09e26746d155e6482deccc3f9ea522a0
-
memory/1544-120-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/1700-117-0x000007FEFB611000-0x000007FEFB613000-memory.dmpFilesize
8KB