blackcat | 65b331074f906c46057da085ffdd1d98b61632a3e996cd252d4548a5e4c6bb10

Resubmissions

29-12-2022 04:38

221229-e9sm5acd27 10

29-12-2022 04:35

10-11-2022 11:04

10-11-2022 11:03

10-11-2022 11:00

10-11-2022 10:58

Analysis

max time kernel
194s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2022 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
Size

2.6MB
MD5

bb266486ee8ac70c0687989e02cefa14
SHA1

11203786b17bb3873d46acae32a898c8dac09850
SHA256

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
SHA512

a167779fc95a5cf0a3eff86211e9e08c282470e050b17ae62c7499a82ea59b3447446eafea9d7b5c5ba833b7a2d060f76530b00509dd5ff7904a0735d83e14c4
SSDEEP

49152:rEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1:rbyaALKjwWXV1P9oVvwwW4JT8

Score

10^/10

blackcat discovery evasion ransomware trojan

Malware Config

Extracted

Path

\??\Z:\RECOVER-sykffle-FILES.txt

Ransom Note

>> Introduction Important files on your system was ENCRYPTED and now they have have "sykffle" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=mv663mYqpJUUtitTGdnVg6KafVBFCsrbVQaMP63CXYyFfrflZPLURsNVatU74GCtwrxeahZV6eOIZx0qw6JT8iUteyjghxmyohi2X42ROK%2BZ2AT4vQ0O%2FFDoQKhr36MQOhFHmBXhTsVg2IrLc6D6CdysSHmTsOluA%2BrkhYRFGqpnivY9PYcpMGgv9X%2B%2FXh4UuYmr46CPsq2rOmZ%2BBzWyl%2FWs8jTdCWLotlrcIcCl6cjVZC1EHld0k1xXZD7fcMev%2B1wIfwm0OAv8v4izLnpPcXJ7diy2SU%2F1j6bAUBC%2BxZGbTChfRaB3lb%2F%2FE4vMuzAb9eKw1vHIr65XtrZvfu2Gjg%3D%3D

URLs

http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21

http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=mv663mYqpJUUtitTGdnVg6KafVBFCsrbVQaMP63CXYyFfrflZPLURsNVatU74GCtwrxeahZV6eOIZx0qw6JT8iUteyjghxmyohi2X42ROK%2BZ2AT4vQ0O%2FFDoQKhr36MQOhFHmBXhTsVg2IrLc6D6CdysSHmTsOluA%2BrkhYRFGqpnivY9PYcpMGgv9X%2B%2FXh4UuYmr46CPsq2rOmZ%2BBzWyl%2FWs8jTdCWLotlrcIcCl6cjVZC1EHld0k1xXZD7fcMev%2B1wIfwm0OAv8v4izLnpPcXJ7diy2SU%2F1j6bAUBC%2BxZGbTChfRaB3lb%2F%2FE4vMuzAb9eKw1vHIr65XtrZvfu2Gjg%3D%3D

Extracted

Family

blackcat

Credentials

Username:
KELLERSUPPLY\Administrator
Password:
d@gw00d

Username:
KELLERSUPPLY\AdminRecovery
Password:
K3ller!$Supp1y

Username:
.\Administrator
Password:
d@gw00d

Username:
.\Administrator
Password:
K3ller!$Supp1y

Attributes

enable_network_discovery
true
enable_self_propagation
false
enable_set_wallpaper
true
extension
sykffle
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 3 IoCs

pid	Process
456	alg.exe
4120	DiagnosticsHub.StandardCollector.Service.exe
4228	fxssvc.exe

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RenameWatch.raw => C:\Users\Admin\Pictures\RenameWatch.raw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\OpenRead.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\RestartRead.crw => C:\Users\Admin\Pictures\RestartRead.crw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\RestartRead.crw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\SetRequest.tif.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\RenameWatch.raw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\EnterSave.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\OpenRead.png => C:\Users\Admin\Pictures\OpenRead.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\SetRequest.tif => C:\Users\Admin\Pictures\SetRequest.tif.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\ShowFormat.png => C:\Users\Admin\Pictures\ShowFormat.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\UnregisterRename.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\EnterSave.png => C:\Users\Admin\Pictures\EnterSave.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\NewExit.raw => C:\Users\Admin\Pictures\NewExit.raw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\RemoveInvoke.tif => C:\Users\Admin\Pictures\RemoveInvoke.tif.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\UnregisterRename.png => C:\Users\Admin\Pictures\UnregisterRename.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\NewExit.raw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveInvoke.tif.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\ShowFormat.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2891029575-1462575-1165213807-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2891029575-1462575-1165213807-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\Z:	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\U:	alg.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\windows\SysWOW64\glhcfham.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File created	\??\c:\windows\system32\ncagndhn.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\windows\system32\kcnjebaa.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\windows\SysWOW64\palpaofh.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\windows\system32\qcojofca.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\alg.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\windows\system32\diagsvcs\bogcqebq.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	alg.exe
File created	C:\Program Files\7-Zip\nccafaqk.tmp	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\olemadei.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\oniofbgo.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	alg.exe
File created	C:\Program Files\7-Zip\cedpmnkl.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	alg.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\hgiggdob.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\ocejmkci.tmp	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\ddjdebhp.tmp	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
112	vssadmin.exe
1692	vssadmin.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\WallpaperStyle = "0"	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe
456	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2200	WMIC.exe
Token: SeSecurityPrivilege	2200	WMIC.exe
Token: SeTakeOwnershipPrivilege	2200	WMIC.exe
Token: SeLoadDriverPrivilege	2200	WMIC.exe
Token: SeSystemProfilePrivilege	2200	WMIC.exe
Token: SeSystemtimePrivilege	2200	WMIC.exe
Token: SeProfSingleProcessPrivilege	2200	WMIC.exe
Token: SeIncBasePriorityPrivilege	2200	WMIC.exe
Token: SeCreatePagefilePrivilege	2200	WMIC.exe
Token: SeBackupPrivilege	2200	WMIC.exe
Token: SeRestorePrivilege	2200	WMIC.exe
Token: SeShutdownPrivilege	2200	WMIC.exe
Token: SeDebugPrivilege	2200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2200	WMIC.exe
Token: SeRemoteShutdownPrivilege	2200	WMIC.exe
Token: SeUndockPrivilege	2200	WMIC.exe
Token: SeManageVolumePrivilege	2200	WMIC.exe
Token: 33	2200	WMIC.exe
Token: 34	2200	WMIC.exe
Token: 35	2200	WMIC.exe
Token: 36	2200	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2200	WMIC.exe
Token: SeSecurityPrivilege	2200	WMIC.exe
Token: SeTakeOwnershipPrivilege	2200	WMIC.exe
Token: SeLoadDriverPrivilege	2200	WMIC.exe
Token: SeSystemProfilePrivilege	2200	WMIC.exe
Token: SeSystemtimePrivilege	2200	WMIC.exe
Token: SeProfSingleProcessPrivilege	2200	WMIC.exe
Token: SeIncBasePriorityPrivilege	2200	WMIC.exe
Token: SeCreatePagefilePrivilege	2200	WMIC.exe
Token: SeBackupPrivilege	2200	WMIC.exe
Token: SeRestorePrivilege	2200	WMIC.exe
Token: SeShutdownPrivilege	2200	WMIC.exe
Token: SeDebugPrivilege	2200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2200	WMIC.exe
Token: SeRemoteShutdownPrivilege	2200	WMIC.exe
Token: SeUndockPrivilege	2200	WMIC.exe
Token: SeManageVolumePrivilege	2200	WMIC.exe
Token: 33	2200	WMIC.exe
Token: 34	2200	WMIC.exe
Token: 35	2200	WMIC.exe
Token: 36	2200	WMIC.exe
Token: SeBackupPrivilege	3676	vssvc.exe
Token: SeRestorePrivilege	3676	vssvc.exe
Token: SeAuditPrivilege	3676	vssvc.exe
Token: SeTakeOwnershipPrivilege	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
Token: SeBackupPrivilege	4276	vssvc.exe
Token: SeRestorePrivilege	4276	vssvc.exe
Token: SeAuditPrivilege	4276	vssvc.exe
Token: SeTakeOwnershipPrivilege	456	alg.exe
Token: SeAuditPrivilege	4228	fxssvc.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 4920	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	80
PID 3200 wrote to memory of 4920	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	80
PID 3200 wrote to memory of 4920	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	80
PID 4920 wrote to memory of 2200	4920	cmd.exe	82
PID 4920 wrote to memory of 2200	4920	cmd.exe	82
PID 4920 wrote to memory of 2200	4920	cmd.exe	82
PID 3200 wrote to memory of 3688	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	83
PID 3200 wrote to memory of 3688	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	83
PID 3200 wrote to memory of 3688	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	83
PID 3688 wrote to memory of 2748	3688	cmd.exe	85
PID 3688 wrote to memory of 2748	3688	cmd.exe	85
PID 3688 wrote to memory of 2748	3688	cmd.exe	85
PID 3200 wrote to memory of 2724	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	86
PID 3200 wrote to memory of 2724	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	86
PID 3200 wrote to memory of 2724	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	86
PID 2724 wrote to memory of 1016	2724	cmd.exe	88
PID 2724 wrote to memory of 1016	2724	cmd.exe	88
PID 2724 wrote to memory of 1016	2724	cmd.exe	88
PID 3200 wrote to memory of 2656	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	89
PID 3200 wrote to memory of 2656	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	89
PID 3200 wrote to memory of 1552	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	92
PID 3200 wrote to memory of 1552	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	92
PID 3200 wrote to memory of 1552	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	92
PID 2656 wrote to memory of 112	2656	cmd.exe	94
PID 2656 wrote to memory of 112	2656	cmd.exe	94
PID 1552 wrote to memory of 2684	1552	cmd.exe	93
PID 1552 wrote to memory of 2684	1552	cmd.exe	93
PID 1552 wrote to memory of 2684	1552	cmd.exe	93
PID 3200 wrote to memory of 1324	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	96
PID 3200 wrote to memory of 1324	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	96
PID 3200 wrote to memory of 1324	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	96
PID 1324 wrote to memory of 4168	1324	cmd.exe	98
PID 1324 wrote to memory of 4168	1324	cmd.exe	98
PID 1324 wrote to memory of 4168	1324	cmd.exe	98
PID 3200 wrote to memory of 4264	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	109
PID 3200 wrote to memory of 4264	3200	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	109
PID 4264 wrote to memory of 1692	4264	cmd.exe	112
PID 4264 wrote to memory of 1692	4264	cmd.exe	112

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe

C:\Users\Admin\AppData\Local\Temp\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
C:\Users\Admin\AppData\Local\Temp\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe -a 12345
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "wmic csproduct get UUID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set SymlinkEvaluation R2L:1
    3⤵
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set SymlinkEvaluation R2R:1
    3⤵
    PID:1016
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c "vssadmin.exe delete shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:112
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "arp -a"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\ARP.EXE
    arp -a
    3⤵
    PID:4168
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c "vssadmin.exe delete shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:456

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2380

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVER-sykffle-FILES.txt
1⤵
PID:4924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\AddConvertTo.wav.sykffle

Filesize
367KB

MD5
44ced888907bff99d3df89a60eb4e803

SHA1
d47fb50d5011af59467ea85ac5485c9bf9f963c3

SHA256
5d5f3fc1b9dc96cbe824b9cb42c2370b6bfc818df103b70d9fb9453a90854909

SHA512
811ce3b6614bbb63e7fb2370eddd9b25ec7d11f19d9144efd63733d6cb00280450d9abf76339140f6d8f63763022b4217f9aa258740b1f325e20fe25f4409c7b

Download Submit
C:\Users\Admin\Desktop\AssertRedo.cfg.sykffle

Filesize
356KB

MD5
fc97f6f4a15183b31e714548738eaa02

SHA1
5b046dd56ebd32e5d498a62c8228c12dd6d99076

SHA256
866a88a0da6ff7c6f85a4e13aecd98ec48c26de2b7477a9834696167dd84e81e

SHA512
12b9a32010d2dbf1ae0da5ded56ef41ca7c94df9674ce7b90bb55e7005391ac2deb15c01de2522e88e9dfb108ac9c8b0216730d97bf055a80a314976b6383266

Download Submit
C:\Users\Admin\Desktop\BackupDisconnect.pdf.sykffle

Filesize
411KB

MD5
67948b8b9f4d45b9796dbd9f5e2bc259

SHA1
f71412325a21d31e08f9fd68367928ba5a2d9500

SHA256
738fcd8dc77a5b105c82e63095b1fda1bc07f04559d9e5496e381dcabf65cc39

SHA512
c15a872415574115f98016de41fe62f1f8eeddd54a0169c78dc0a40b1517a43ec9612b7e440d95c0cc233e18c717755c2a4ef858ab67eb455bdb199fb542b48d

Download Submit
C:\Users\Admin\Desktop\CompressDismount.tiff.sykffle

Filesize
290KB

MD5
499706c097575923d1c8d9e4a8628b51

SHA1
23ffc14db59519184f3b5beefa0f4e3a00383ecd

SHA256
59f4a92c42091f9457b2a6eb12e3c53ca2b9b6e8c0519a8ea70ddc431dd238cf

SHA512
e334b66d8923373521469719b4720fefc693af5d942c4404820ac7b0e5c383df277811578b1ffbba667935faa8f6017c1f7c922789a0fe4262c6afea7ebc74cb

Download Submit
C:\Users\Admin\Desktop\DebugConfirm.search-ms.sykffle

Filesize
323KB

MD5
38657c685a8ae2cc15bccd388ad9daad

SHA1
bc3eb4e77e0068d9dfc0647c34664c8f3ea1b9ca

SHA256
d58053051abe87f295e82f4d4ad66853434a63d59637824ead402355cb49e903

SHA512
6cd1f5b3f37c8f3711e108a351424003f1607ae32375aade727125161f52444eeaf511dce6935584d49bc1bcebdab0f96e8e41d4e316d73aefdae1f544fc989d

Download Submit
C:\Users\Admin\Desktop\ExitDismount.mp2.sykffle

Filesize
334KB

MD5
8c6fedef32d24ae0f904b7b30b597a97

SHA1
4fdbe0f8fbd75d82bc696ba1bed496372cf8729a

SHA256
b2f027923fb935c881f02d20d3e73870018efae39f504495140666fb01cb27ce

SHA512
4f42c5a8a14ac40bd7b5a30bb4e9fe024c8d8f481190dadf6740a999ce68a1f41fae2ae3b67bb5712a695f0aa110c54fd181b586678807b88816ba95d5e89dda

Download Submit
C:\Users\Admin\Desktop\ImportTest.reg.sykffle

Filesize
433KB

MD5
4ded7370746d081b95ba7398577e15d9

SHA1
2abf3f1ec2e81ff95e4a2e1b0eee5d2593f141e1

SHA256
045c2ed951d50e2303b7365c0a2ac9f30a44d17a3b15e7484261a2a4c87011c5

SHA512
68a5fd4c0c39bc9a2e954fa649bebf0fdae93586074821910819aa50dd70051efe7ab6425612737d5a379a16627af989d0fece58da8e1053fe44df5fe9934d44

Download Submit
C:\Users\Admin\Desktop\LockAssert.vsd.sykffle

Filesize
246KB

MD5
363d6d1fec144a558b99b6c2c10153c8

SHA1
bb6e8245c280c0cd5a0c195344d50b11577825f8

SHA256
a8f78446eda827103549060216fde520cf4f32f812c08d6fc3d3a6703edab58c

SHA512
259100be2f321afff17468a5acc394cf78e5d12691398b45332f86b5772e5c6ee6ed07672ac865701b7657549bf3464c7414a9f2532c6889b961ad29336e558a

Download Submit
C:\Users\Admin\Desktop\MeasureRead.mhtml.sykffle

Filesize
202KB

MD5
420f9162242f7e05495f228d03d9efa9

SHA1
b2ecedc49e32a8b9f90c415ccb0170c6853cafd4

SHA256
ec298a7b4e36073597aaf918fd381c1d9cd85c8a26d64858a61f93807042d854

SHA512
a593ca87ce6aa690ba970d0b91657b4b665f44d7f4e33af7a7313c8ceed614ce33ca6f66d1eb0d81643ec999fdd93574d610e902a5b6111a1374de231cc0bcc3

Download Submit
C:\Users\Admin\Desktop\MountRename.vstm.sykffle

Filesize
257KB

MD5
b7619f8dc7403510c9e22d262f0cdef7

SHA1
4d7c7dc4657ea677f6a030d3f85644fe7aa236f4

SHA256
eb0f8ae5d9cca0175770e9aee8ac09163b5b85982d669bf9a762eb06c1c56974

SHA512
6196e5992c37fa637b3bd7f70f800cb4ceebc0398e2c7f0d58d17233cb5f2a75161a0289e463b04ebc1f303083c997653ebd7bcd264d458b7080cdb29d36a1c3

Download Submit
C:\Users\Admin\Desktop\NewAdd.ini.sykffle

Filesize
268KB

MD5
ff8da9826f0423c386e96c4eb75b275e

SHA1
2b4e45edf495895e39077c3d5342258f42829a5d

SHA256
7b47f7bcf6a4d3d71f679d8b0f0525ad9cb9b74e7d530760fc5fe69584ce55bd

SHA512
f7f41e4671ca9d0408c0e56338026e9e60e9de996a282f0aa82f484feec6855dddd55a93e43586848a8028d66dbb8b33338e91a9016effa08fe702f37eefebc5

Download Submit
C:\Users\Admin\Desktop\OptimizeSync.xml.sykffle

Filesize
159KB

MD5
3222832bc666b1bd7ad2a60bb225a800

SHA1
0ac9d7e0da8aeaccd8e8949166608a94b5cf8a92

SHA256
00dbdf113489e2397e28fc83ca727ef2921e9a40ca1a2c405f379b4c70d96270

SHA512
3d04de77e5006c8564e19b2a26f5661771a0cd5452ae5147f69415fcb2205371712e1431509cb6f3560b50adc7e33611974fd55394033bc2ff886589fac99473

Download Submit
C:\Users\Admin\Desktop\OutInstall.wmf.sykffle

Filesize
213KB

MD5
d309257ef81709127ee7f2b94dea8dee

SHA1
48c7e51c625427b46dcd70ead53670e7655ac53d

SHA256
420828fd812a83e0bff17f76714dd78f482cff1f924cb75ff83f16f76d31c4d5

SHA512
6624bd22e91ff76a3862c2d1e80b8ecd1077036aabb9343077f227c3685b6d42409f968e220cc4f7377252ddc012b37c7553091115e484799c7f5670979613d4

Download Submit
C:\Users\Admin\Desktop\OutSkip.tif.sykffle

Filesize
422KB

MD5
cb5c89dc2a1d35cb6b9e1cf39a4adf03

SHA1
5a5a821995ca40e71b80c82a08f4061d4a77f3b6

SHA256
bdd5ca0b6c74669df051fe4970566d444f447ef3292e066e27123b13b3733dbe

SHA512
0acbdce838722bba6de6b3b76441f65d864361fe4b44109ca7d3fa30b34f675639173f1f0bb96d7e9a93b71738b357c077fc26645347f942783c4d436215293f

Download Submit
C:\Users\Admin\Desktop\PopPing.mp2v.sykffle

Filesize
224KB

MD5
d9cc98b74937e0da8260b3691e25b52f

SHA1
48f4256bc319cba48c661984b6b2bd3c74ad1352

SHA256
369208a81d92eb37456617a26c258ac112df689bff1879ded149d0ba673113d3

SHA512
7e94e94ccd88492651d6e3aab1653446c663cf5d2df66e1b1bd73aa97cad47ba1628f4b7500db77dc241674b2d9d138f7bd062ae39e17f1480900618ae6b2592

Download Submit
C:\Users\Admin\Desktop\PushRename.dib.sykffle

Filesize
181KB

MD5
147fc70f9e4357b41c08f9456b14cb94

SHA1
8ed7c3e6e73caf6debec5537055a5a3faefa38d6

SHA256
8973fb52cc6a4a7b9d9dd5386ec7916584f08df8b0dbc9c9962497b610063588

SHA512
7e7d2e9b70e9269eebc569a5874daba69b57bb7bbfbdea8d370de5295f8e0d6ca21f2533ab597055274bb7750cf58e2015735e08452bade85a7dc2bc3cffff04

Download Submit
C:\Users\Admin\Desktop\RECOVER-sykffle-FILES.txt

Filesize
1KB

MD5
b32ddc885d39ca9a14cc178fdba7ffa7

SHA1
54fad25695ce127914cd70c53a5ac5c2bcf3a7b2

SHA256
326abd7c673cd1dc49579dc0041d3e6dd1cc6cfba532c1617a9c804628ea78e1

SHA512
fbeaaa52e9df8d07bf438d7b823b8e6764b32c14a4e1158d2be2c9fc9af15115fea9b4810907ed9d2c25251419d42d5648761a68373762f5c41498802f1b46f1

Download Submit
C:\Users\Admin\Desktop\ReadBackup.sys

Filesize
312KB

MD5
1a4a730dba3b67a3348e6ee18e7ee75e

SHA1
c267b2693172d7ab1fc6a9df94b20e9f3fd89990

SHA256
c105bb80ec7424fcb9719037be4a07df230b5c553e38819963a422026f33bcf6

SHA512
29ac1af974df9245518c271e7856918e96aef1999c65966e9a07c23de76534a84cf12de45868185fadcd997a097cdbf73ef0f93674c234500ea8eb57c316ac02

Download Submit
C:\Users\Admin\Desktop\RemoveMove.ogg.sykffle

Filesize
192KB

MD5
8189f1cdf030d09a29b6d5bd7312ef74

SHA1
9c77ecbab53aadccc4df7a3c8de4990cca85ff1e

SHA256
0e89c850dd9dea23b0a934a0047a5ddb093c56b08c36fb47bf86ca7ff1f8b68c

SHA512
bd3030ca21a3b4d6a59f3d53bd2019f50db6934955fa1b122f81aeafae50de4df557ba23c5de52aacfa9d74c4671e706bd79f6bafce8093af26ba412adb5a2ae

Download Submit
C:\Users\Admin\Desktop\SelectResize.vdw.sykffle

Filesize
455KB

MD5
85158bfadf55c57f68b0c6c127e318be

SHA1
3c59b8f034c6c56d7eb377147e1e62dabd591f51

SHA256
672b1a960dfe1689e2bb8f0f2c14bb97eb17f21c35434672dc2cf8b0b804652d

SHA512
635d694480001402e2f18950911b8c9ef5b5b2df425b8389def9e275a71a0f38a62e9793a1a6ad1217f439ee534056074e10680d0973c67e28642412e759ab00

Download Submit
C:\Users\Admin\Desktop\UndoJoin.ps1

Filesize
345KB

MD5
5770e6c2c41e7e13e374b467aa05494f

SHA1
49f14a23e0faf7983463de1af14aa3ba5c89cfd6

SHA256
4e3da88b0d6553179a6feec8b2377147ed95f7124e1aa182a33a44c55a46522b

SHA512
2553a2c20dd135358b129448cc6edf1d15b3fb3476afb1f9fbcbce3f6187f569446a40b8c5ba0044158a86b2caff1d4701f53d26a8c7607f1d7228a1c078ea31

Download Submit
C:\Users\Admin\Desktop\UnlockPing.tif.sykffle

Filesize
378KB

MD5
ac77c04469985cef4235326f4311c6a9

SHA1
1ac67d965b697b3d8a3219c2577438d69c502fed

SHA256
d87850e80e8f0520d592bf431da9e9599e1aa5a18a3f9dceadd8e22e3191dca9

SHA512
95e510f9873fef10755d5b2875316ab47363d7293c870cc91f66d5feb9993a548463db004ba752500e6167691a7d266c9627bd8bc1efc65f1152804a7c3c7637

Download Submit
C:\Users\Admin\Desktop\UnprotectReset.ods.sykffle

Filesize
625KB

MD5
220911b6a37373ec3aeab281412f4f07

SHA1
d4a92514cc055d9f004d85406144ab1d6b423c13

SHA256
3fe489b23d2388586f0b14c1999f9dfc1a3cfc74db16abbd01ff8c119f7fbe0c

SHA512
e8bd152e7fc40a422e8781af0b25ba511d937756f18344d7a1a30e143bafb9bd2483641ad28372fc260b56b9b508ce03483b86b17857e5860b861b7b034fbae8

Download Submit
C:\Users\Admin\Desktop\UpdateRequest.pptx.sykffle

Filesize
444KB

MD5
db36575a64c2b02576bda6db2bbc10ba

SHA1
7071c71ad708747df6e46a5eaf1e235bd9aa8065

SHA256
34e462f53c1655d8789366945c9c578b45911a312ab0eeff4e7228748dd74c2d

SHA512
4f44eeb373861d4a32ef6dd47d870fabe62f735a6fec5733b1cfac0c74fc40fc9f22c1abe21bdd5c51d0a21408f743be0e1588fc601dbffcf316444e193aec22

Download Submit
C:\Users\Admin\Desktop\UseGet.tmp.sykffle

Filesize
170KB

MD5
efeb6a5774d38c0182bccb5119958296

SHA1
c57566d29d8e147e6894538404c8321b2bc50951

SHA256
d4fe286a3a58d73febfae1bc0f80d742e9e75ff5198005ec2096737702fe6393

SHA512
32b64a6b93b88fd09dc764cf557828d2a6e717332ab663964cbb08c2dedb610854412853f1574f2039bb78f2d0f0f0495e9c54d36505785cc37fb95ca5d9516d

Download Submit
C:\Users\Admin\Desktop\UseRename.mid.sykffle

Filesize
389KB

MD5
4459bbff21f0325c2d2df22c26c31e63

SHA1
eec59e95ef904bf50d777439e2ae5eeebf46d3d4

SHA256
4d8d829b57346779bbaf5444d3628098573690c2bc2e41c07d6d83792a542cbc

SHA512
5cef0225dd9de5f47511c1b27b4eb6b6140a609e9c6635e9a9a37b54e43d1b6277f9b6b310f12900b0f2599b937f7407ace5c2d0fe0bdbb3f44c79bc2ee0124c

Download Submit
C:\Users\Admin\Desktop\WaitNew.m3u.sykffle

Filesize
400KB

MD5
dbb5ed13d101a187fd3401fcd64d6f44

SHA1
05a2daca14608ba34f810f4e28f50313ec1b2b9f

SHA256
366047cfbe555a2e78003da86bb8a1ac5a75e4219ca65c41802000e18659310b

SHA512
f276b41974604d7f33fb588bef66271104f5326f072a8c8e0c73cb2083d53e43a15da790c3e79148de452a494e17652e2b79e921ffbe7738248ac513cb23676e

Download Submit
C:\Users\Admin\Desktop\WriteBlock.jpeg.sykffle

Filesize
301KB

MD5
df539797cef1f7dd92ac47743073f267

SHA1
5b4b91d448b1900985f1256f7259c27004ab7f6b

SHA256
8c8513d997309f871f506006be1dda16a5183a419536162e1b64ac05f0976cb2

SHA512
d0751d0410b474a9a1bab7ffc6e92d952191f363b1d1ba3d4ecbf1b895cad0d6672dfb8a316684c60683e35499fc085a64ce16305ccb2929571835f9689a7a6c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
491KB

MD5
67d2677aa17d714a442acdfbe234a2b0

SHA1
90e85199ffc9b6086d4d59ab9c913ade1ee71ff6

SHA256
2483610e55f030ce31fba2234fe5bf01e0309bab6e309216b7babfdf04ec878e

SHA512
524c011c75e0352d0fed3ca3aa41df02e0a62ceb3bd6755dd434e84ff40396095341ee193d7f5d2fbf012fca1354aac9aaeae27779c7acdafc3ee7ee529f70a8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
f0e851a17f14f114ce04134ca7d3a41c

SHA1
18c2250a318b57e34843c5e85795f9c15da1a7a1

SHA256
062e1731717344144c252655c5adbdea1937aec4233df2e5d640b67be5433aad

SHA512
1e56909817512b1ce55825c83040038b2fccfa0d3c67aed6b94539bf7434498cf9cae2927292de10a476faefb9a996ce0b60d454b9e390b5f6b29a7add254316

Download Submit
C:\Windows\System32\alg.exe

Filesize
493KB

MD5
7d8e56ed7cf634396ffaed89f09a212e

SHA1
2f37e76c66e8aae08254be47d5420694b0c590c7

SHA256
3d00b7f8dd2c3af64159b3a0a41c295f7ea723be57210d8f9ee53f8c860c6837

SHA512
5a31b95f28a13517f84d7ef1fcaafca0edf286149a1b665ba98e50e8da363b44773476c876b713750aacace13f1bb4be7f7466d8be867868615a8cd1ea337b1e

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
ae9b12dc796ba9a37d15491a0df4cd3b

SHA1
f5605e5a3c0c7428025ad0ebf86f72bf49557d02

SHA256
99aedb1dadb0f82ac246ce48830c463d797407823e18599114d8042f567309e1

SHA512
5a8bf545ccd74d804ff62c47741e7409e641574e814ffef60f386a26265d03ac6eca6845d394da87a0e3e196e38458e757d598c6aab8524d31f673c8284c634c

Download Submit
memory/456-160-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/456-156-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/456-150-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/3200-147-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3200-146-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3200-135-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3200-159-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3200-148-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3200-132-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4120-162-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/4120-152-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/4228-158-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/4228-161-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download