ctblocker | 74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a

Analysis

max time kernel
159s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe
Size

920KB
MD5

f251200975ae1eb1df4fab9c1b715b77
SHA1

d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c
SHA256

74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a
SHA512

38717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6
SSDEEP

24576:kr8/0SLiPVg2ruQFk28H4Z5fYySV7umi36+hn:kry0PV9FDgSG+l

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-glbuhbf.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kph3onblkthy4z37.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. KWRUNDW-XHW2AV6-VQNL7LU-77YRZ4Q-ZADNVDY-IAVZCPR-GHODOFY-VFC2VGH A2U7I7H-CKYJCCA-KKMKE3X-PT6ZB7T-HDH3O64-3UJ5XSQ-5JRWG4Q-BI7ZBAV QD5U3KT-IJ6BVMG-SRJLKV4-IXA47RN-Y4P63HF-QA7AOMV-6OMVWTG-HFEEQE3 Follow the instructions on the server.

URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion/

Extracted

Path

C:\ProgramData\ystryfa.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://kph3onblkthy4z37.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker

Executes dropped EXE 4 IoCs

pid	Process
5076	lkeistk.exe
4312	lkeistk.exe
944	lkeistk.exe
4208	lkeistk.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ExpandWait.CRW.glbuhbf	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SelectUnregister.RAW.glbuhbf	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	lkeistk.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini	lkeistk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	lkeistk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	lkeistk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	lkeistk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	lkeistk.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-glbuhbf.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4740 set thread context of 3920	4740	74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe	80
PID 5076 set thread context of 4312	5076	lkeistk.exe	84
PID 944 set thread context of 4208	944	lkeistk.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5056	4740	WerFault.exe	79
1096	5076	WerFault.exe	82
1752	944	WerFault.exe	95

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	lkeistk.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\GPU	lkeistk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	lkeistk.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	lkeistk.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5d2b4a7c-0000-0000-0000-d01200000000}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00350064003200620034006100370063002d0030003000300030002d0030003000300030002d0030003000300030002d006400300031003200300030003000300030003000300030007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5d2b4a7c-0000-0000-0000-d01200000000}\MaxCapacity = "15140"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5d2b4a7c-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3920	74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe
3920	74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe
4312	lkeistk.exe
4312	lkeistk.exe
4312	lkeistk.exe
4312	lkeistk.exe
4312	lkeistk.exe
4312	lkeistk.exe
4312	lkeistk.exe
4312	lkeistk.exe
4312	lkeistk.exe
4312	lkeistk.exe
4312	lkeistk.exe
4312	lkeistk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3048	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4312	lkeistk.exe
Token: SeDebugPrivilege	4312	lkeistk.exe
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4208	lkeistk.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4208	lkeistk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4208	lkeistk.exe
4208	lkeistk.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 3920	4740	74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe	80
PID 4740 wrote to memory of 3920	4740	74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe	80
PID 4740 wrote to memory of 3920	4740	74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe	80
PID 4740 wrote to memory of 3920	4740	74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe	80
PID 4740 wrote to memory of 3920	4740	74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe	80
PID 4740 wrote to memory of 3920	4740	74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe	80
PID 5076 wrote to memory of 4312	5076	lkeistk.exe	84
PID 5076 wrote to memory of 4312	5076	lkeistk.exe	84
PID 5076 wrote to memory of 4312	5076	lkeistk.exe	84
PID 5076 wrote to memory of 4312	5076	lkeistk.exe	84
PID 5076 wrote to memory of 4312	5076	lkeistk.exe	84
PID 5076 wrote to memory of 4312	5076	lkeistk.exe	84
PID 4312 wrote to memory of 780	4312	lkeistk.exe	9
PID 780 wrote to memory of 3160	780	svchost.exe	93
PID 780 wrote to memory of 3160	780	svchost.exe	93
PID 4312 wrote to memory of 3048	4312	lkeistk.exe	40
PID 780 wrote to memory of 3656	780	svchost.exe	94
PID 780 wrote to memory of 3656	780	svchost.exe	94
PID 4312 wrote to memory of 944	4312	lkeistk.exe	95
PID 4312 wrote to memory of 944	4312	lkeistk.exe	95
PID 4312 wrote to memory of 944	4312	lkeistk.exe	95
PID 944 wrote to memory of 4208	944	lkeistk.exe	96
PID 944 wrote to memory of 4208	944	lkeistk.exe	96
PID 944 wrote to memory of 4208	944	lkeistk.exe	96
PID 944 wrote to memory of 4208	944	lkeistk.exe	96
PID 944 wrote to memory of 4208	944	lkeistk.exe	96
PID 944 wrote to memory of 4208	944	lkeistk.exe	96

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:3160
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:3656

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3048
- C:\Users\Admin\AppData\Local\Temp\74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe
  "C:\Users\Admin\AppData\Local\Temp\74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe
    C:\Users\Admin\AppData\Local\Temp\74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 152
    3⤵
    - Program crash
    PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4740 -ip 4740
1⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\lkeistk.exe
C:\Users\Admin\AppData\Local\Temp\lkeistk.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\lkeistk.exe
  C:\Users\Admin\AppData\Local\Temp\lkeistk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\lkeistk.exe
    "C:\Users\Admin\AppData\Local\Temp\lkeistk.exe" -u
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Users\Admin\AppData\Local\Temp\lkeistk.exe
      C:\Users\Admin\AppData\Local\Temp\lkeistk.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:4208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 140
      4⤵
      Program crash
      PID:1752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 140
  2⤵
  - Program crash
  PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5076 -ip 5076
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 944 -ip 944
1⤵
PID:2268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Packages\aznbbeb

Filesize
654B

MD5
4732b9a62b326718ddd8914c6611600a

SHA1
e5324b2bf0e3df6f6c726001fd60bc6c54f75089

SHA256
e0cdfd087a896e72351a708e2e6b16cd778a6785b10439fa1e71e34ec1e5137f

SHA512
ca2cdf639cb0893677e2c7f7dac77088b230f31bc161a4c3f61476dcc43bfff571ae842eba42369e1ed948063aa7da1b6b5b3205fb59d1ca5d7ed05fc08c166b

Download Submit
C:\ProgramData\Packages\aznbbeb

Filesize
654B

MD5
4732b9a62b326718ddd8914c6611600a

SHA1
e5324b2bf0e3df6f6c726001fd60bc6c54f75089

SHA256
e0cdfd087a896e72351a708e2e6b16cd778a6785b10439fa1e71e34ec1e5137f

SHA512
ca2cdf639cb0893677e2c7f7dac77088b230f31bc161a4c3f61476dcc43bfff571ae842eba42369e1ed948063aa7da1b6b5b3205fb59d1ca5d7ed05fc08c166b

Download Submit
C:\ProgramData\Packages\aznbbeb

Filesize
654B

MD5
a123bfae61ecb9d2c45b5f3572164ea1

SHA1
d67aa91a63568fd02e2035b2f01124c45466235c

SHA256
260bdf764208acc103f201c26725657394bbb2791bb7b59f6ed8a7e32aa5bd62

SHA512
671b75177a93ea87d98e1f1b705d1dbba7d55062514bcf50b4f8756878e39e8f08d63e80e6040ea6a76f4326a5ced1a98c60139e2ac64599b335c293259d2851

Download Submit
C:\ProgramData\Packages\aznbbeb

Filesize
654B

MD5
654ea3c4b5485af2bf834ab6452577f7

SHA1
389c6b0de6562260351c59e7f9743e3675d6f29f

SHA256
af7dffb3a7882472a5dcee6e35b9ed731c632b9e1a654a34e78e28f70ba64205

SHA512
91d394604f8373818beb3806e1e57e772e4ab5e4dc6e95e2d45fbdf753559fb6fab836e37061965203321f2793919ed456536969df62cdd8a551331b2922774c

Download Submit
C:\ProgramData\Packages\aznbbeb

Filesize
654B

MD5
af217f6ba93bc620377b8623b89c8a10

SHA1
8484b30e08b4647b7ae11907871a9acebba9eaa8

SHA256
53f07108ec261acb7fb09d03b8b4dc172868d117e6b8dd743f3d5246792ebb41

SHA512
1b39f6638a3d6e94f303232f37d1e3260882930ad6f6e32874c7eb9260311d0f103735c016e391373d5451c74fba260524361621914e31707d80f2087148f65c

Download Submit
C:\ProgramData\ystryfa.html

Filesize
226KB

MD5
706f64ebfea3538efa69a79790eba6ee

SHA1
b1c90082e9ecfa3331df16c421af036365d94bd7

SHA256
0575860676c8edecba36afddc2c931c2ccdbafd9d69ff20b28b28900851ea066

SHA512
b52e248eaed86a7c0df42a7f3d141353016c7bb97efda9bbcca70177df4f61e8e63af9cdb1b7c4a29a8889c35fc6758067a9fa509a5a9c7edf4ce5817d846b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkeistk.exe

Filesize
920KB

MD5
f251200975ae1eb1df4fab9c1b715b77

SHA1
d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c

SHA256
74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a

SHA512
38717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkeistk.exe

Filesize
920KB

MD5
f251200975ae1eb1df4fab9c1b715b77

SHA1
d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c

SHA256
74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a

SHA512
38717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkeistk.exe

Filesize
920KB

MD5
f251200975ae1eb1df4fab9c1b715b77

SHA1
d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c

SHA256
74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a

SHA512
38717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkeistk.exe

Filesize
920KB

MD5
f251200975ae1eb1df4fab9c1b715b77

SHA1
d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c

SHA256
74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a

SHA512
38717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkeistk.exe

Filesize
920KB

MD5
f251200975ae1eb1df4fab9c1b715b77

SHA1
d8a47c9f748d3e561e6e0c2d2e5c638708b6f05c

SHA256
74c39126f27e36d582084af61afe00772b722db572edded4f3197ece44c36e6a

SHA512
38717440a1254d61591cc7dd4bc66fab94d599eb30d176069f86ffdbe0135f19cc5f209430c2928d2f449276f669d931673323fd969cda648a22faca75e7b2d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.glbuhbf

Filesize
36KB

MD5
63821c3486c7dfcf2440913bbe7b9fb0

SHA1
746c84144ab968330b84b32fdacb0b1ec654a99f

SHA256
7fd72ae38ac295fe43cc0c9ea65b697b12226430b42b307070c298aa8adb61b7

SHA512
25124d6d3de075695b61ca7035b985f6afb7fb6ffdc9b4f9854d60489bd4d252bfca78f4f2c1555c097668c4975d2061c3c9d389ba6564000ecb50dad6eeff09

Download Submit
memory/780-146-0x0000000039500000-0x0000000039577000-memory.dmp

Filesize
476KB

Download
memory/3920-135-0x0000000000760000-0x000000000097A000-memory.dmp

Filesize
2.1MB

Download
memory/3920-136-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/3920-137-0x0000000000980000-0x0000000000BCB000-memory.dmp

Filesize
2.3MB

Download
memory/3920-133-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4208-163-0x0000000000A30000-0x0000000000C7B000-memory.dmp

Filesize
2.3MB

Download
memory/4312-145-0x00000000009D0000-0x0000000000C1B000-memory.dmp

Filesize
2.3MB

Download