General Info

File name

Kraken.bin.zip

Full analysis
https://app.any.run/tasks/8a8d5cf5-ebb9-442f-880f-f96a9d0f6d6b
Verdict
Malicious activity
Analysis date
1/11/2019, 14:16:34
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ransomware

kraken

evasion

trojan

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

2a31fc84eba675c8aa74673fd7effd9d

SHA1

40479bcbdb8d3791b7dfa38381923412bc988e20

SHA256

094922019198988ca8554cdd1d9c29d72e1dd5a4fbf3f665aebc454b7f02eca9

SSDEEP

768:nfQfXA9MPEXvLFYcVBm7Lu166D1NR/aJYvmsBx/zn+y8pSyc+4enfLWu6whg4:nIfX0MPaBkLufDnAJur/8cA4nc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Runs PING.EXE for delay simulation
  • cmd.exe (PID: 2836)
Application was dropped or rewritten from another process
  • sdelete.exe (PID: 2276)
  • krakentemp0000.exe (PID: 2656)
  • x.exe (PID: 3060)
Changes settings of System certificates
  • krakentemp0000.exe (PID: 2656)
Changes the autorun value in the registry
  • x.exe (PID: 3060)
Known privilege escalation attack
  • x.exe (PID: 3060)
Kraken Ransomware was detected
  • x.exe (PID: 3060)
Detected Kraken's note (Ransomware)
  • krakentemp0000.exe (PID: 2656)
Application launched itself
  • cmd.exe (PID: 3316)
Uses REG.EXE to modify Windows registry
  • cmd.exe (PID: 3316)
Starts CMD.EXE for commands execution
  • cmd.exe (PID: 3316)
  • krakentemp0000.exe (PID: 2656)
Checks for external IP
  • krakentemp0000.exe (PID: 2656)
Creates files in the program directory
  • krakentemp0000.exe (PID: 2656)
Executable content was dropped or overwritten
  • krakentemp0000.exe (PID: 2656)
  • x.exe (PID: 3060)
Adds / modifies Windows certificates
  • krakentemp0000.exe (PID: 2656)
Removes files from Windows directory
  • krakentemp0000.exe (PID: 2656)
Creates files in the Windows directory
  • krakentemp0000.exe (PID: 2656)
Creates files like Ransomware instruction
  • krakentemp0000.exe (PID: 2656)
Uses TASKLIST.EXE to query information about running processes
  • krakentemp0000.exe (PID: 2656)
Modifies the open verb of a shell class
  • x.exe (PID: 3060)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
788
ZipBitFlag:
0x0001
ZipCompression:
Deflated
ZipModifyDate:
2018:10:04 13:36:26
ZipCRC:
0x03dca1fc
ZipCompressedSize:
48561
ZipUncompressedSize:
100864
ZipFileName:
2018-10-04_19-37-40.bin

Screenshots

Processes

Total processes
58
Monitored processes
15
Malicious processes
4
Suspicious processes
2

Behavior graph

+
start winrar.exe no specs #KRAKEN x.exe eventvwr.exe no specs eventvwr.exe #KRAKEN krakentemp0000.exe tasklist.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs sdelete.exe no specs explorer.exe no specs cmd.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2932
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Kraken.bin.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
3060
CMD
"C:\Users\admin\Desktop\x.exe"
Path
C:\Users\admin\Desktop\x.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
UAC
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\x.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\eventvwr.exe
c:\windows\system32\mpr.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
2716
CMD
"C:\Windows\System32\eventvwr.exe"
Path
C:\Windows\System32\eventvwr.exe
Indicators
No indicators
Parent process
x.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
Event Viewer Snapin Launcher
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\eventvwr.exe
c:\systemroot\system32\ntdll.dll

PID
3812
CMD
"C:\Windows\System32\eventvwr.exe"
Path
C:\Windows\System32\eventvwr.exe
Indicators
Parent process
x.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Event Viewer Snapin Launcher
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\eventvwr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\krakentemp0000.exe
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll

PID
2656
CMD
"C:\Users\admin\AppData\Local\Temp\krakentemp0000.exe"
Path
C:\Users\admin\AppData\Local\Temp\krakentemp0000.exe
Indicators
Parent process
eventvwr.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
1.1.7.9
Modules
Image
c:\users\admin\appdata\local\temp\krakentemp0000.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\tasklist.exe
c:\windows\system32\shfolder.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

PID
2728
CMD
"tasklist" /V /FO CSV
Path
C:\Windows\system32\tasklist.exe
Indicators
No indicators
Parent process
krakentemp0000.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Lists the current running tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\tasklist.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wmiutils.dll

PID
3316
CMD
"C:\Windows\System32\cmd.exe" /C cd C:\ProgramData\ && release.bat
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
krakentemp0000.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll

PID
2836
CMD
"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 3 > NUL&&del /Q /F /S "C:\Users\admin\AppData\Local\Temp\krakentemp0000.exe"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
krakentemp0000.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2816
CMD
ping 127.0.0.1 -n 3
Path
C:\Windows\system32\PING.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll

PID
2920
CMD
REG ADD "HKEY_CURRENT_USER\Software\Sysinternals\SDelete"
Path
C:\Windows\system32\reg.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3588
CMD
REG ADD "HKEY_CURRENT_USER\Software\Sysinternals\SDelete" /v EulaAccepted /t REG_DWORD /d 1 /f
Path
C:\Windows\system32\reg.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2860
CMD
cmd.exe /c C:\ProgramData\sdelete.exe -c -z C:
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\programdata\sdelete.exe

PID
2276
CMD
C:\ProgramData\sdelete.exe -c -z C:
Path
C:\ProgramData\sdelete.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Version:
Company
Sysinternals - www.sysinternals.com
Description
Secure file delete
Version
2.02
Modules
Image
c:\programdata\sdelete.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll

PID
2572
CMD
"C:\Windows\explorer.exe"
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\actxprxy.dll

PID
3196
CMD
"C:\Windows\system32\cmd.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
717
Read events
666
Write events
51
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2932
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2932
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2932
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2932
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Kraken.bin.zip
2932
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2932
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2932
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2932
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2932
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
3060
x.exe
write
HKEY_CLASSES_ROOT\mscfile\shell\open\command
C:\Users\admin\AppData\Local\Temp\krakentemp0000.exe
3060
x.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Payload
C:\Users\admin\AppData\Local\Temp\krakentemp0000.exe
3060
x.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3060
x.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3812
eventvwr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3812
eventvwr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2656
krakentemp0000.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\krakentemp0000_RASAPI32
EnableFileTracing
0
2656
krakentemp0000.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\krakentemp0000_RASAPI32
EnableConsoleTracing
0
2656
krakentemp0000.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\krakentemp0000_RASAPI32
FileTracingMask
4294901760
2656
krakentemp0000.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\krakentemp0000_RASAPI32
ConsoleTracingMask
4294901760
2656
krakentemp0000.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\krakentemp0000_RASAPI32
MaxFileSize
1048576
2656
krakentemp0000.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\krakentemp0000_RASAPI32
FileDirectory
%windir%\tracing
2656
krakentemp0000.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\krakentemp0000_RASMANCS
EnableFileTracing
0
2656
krakentemp0000.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\krakentemp0000_RASMANCS
EnableConsoleTracing
0
2656
krakentemp0000.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\krakentemp0000_RASMANCS
FileTracingMask
4294901760
2656
krakentemp0000.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\krakentemp0000_RASMANCS
ConsoleTracingMask
4294901760
2656
krakentemp0000.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\krakentemp0000_RASMANCS
MaxFileSize
1048576
2656
krakentemp0000.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\krakentemp0000_RASMANCS
FileDirectory
%windir%\tracing
2656
krakentemp0000.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2656
krakentemp0000.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Blob
040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C6200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B66053030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
2656
krakentemp0000.exe
write
HKEY_CURRENT_USER\Console
WordLoad
1
2656
krakentemp0000.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
Blob
040000000100000010000000ACB694A59C17E0D791529BB19706A6E40B0000000100000030000000440069006700690043006500720074002000420061006C00740069006D006F0072006500200052006F006F007400000053000000010000006200000030603020060A2B06010401B13E01640130123010060A2B0601040182373C0101030200C0301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0301B060567810C010130123010060A2B0601040182373C0101030200C00F0000000100000014000000CE0E658AA3E847E467A147B3049191093D055E6F140000000100000014000000E59D5930824758CCACFA085436867B3AB5044DF01D0000000100000010000000918AD43A9475F78BB5243DE886D8103C030000000100000014000000D4DE20D05E66FC53FE1A50882C78DB2852CAE47419000000010000001000000068CB42B035EA773E52EF50ECF50EC52909000000010000003E000000303C06082B0601050507030106082B0601050507030406082B0601050507030206082B0601050507030306082B0601050507030906082B0601050507030862000000010000002000000016AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB20000000010000007B030000308203773082025FA0030201020204020000B9300D06092A864886F70D0101050500305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F74301E170D3030303531323138343630305A170D3235303531323233353930305A305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F7430820122300D06092A864886F70D01010105000382010F003082010A0282010100A304BB22AB983D57E826729AB579D429E2E1E89580B1B0E35B8E2B299A64DFA15DEDB009056DDB282ECE62A262FEB488DA12EB38EB219DC0412B01527B8877D31C8FC7BAB988B56A09E773E81140A7D1CCCA628D2DE58F0BA650D2A850C328EAF5AB25878A9A961CA967B83F0CD5F7F952132FC21BD57070F08FC012CA06CB9AE1D9CA337A77D6F8ECB9F16844424813D2C0C2A4AE5E60FEB6A605FCB4DD075902D459189863F5A563E0900C7D5DB2067AF385EAEBD403AE5E843E5FFF15ED69BCF939367275CF77524DF3C9902CB93DE5C923533F1F2498215C079929BDC63AECE76E863A6B97746333BD681831F0788D76BFFC9E8E5D2A86A74D90DC271A390203010001A3453043301D0603551D0E04160414E59D5930824758CCACFA085436867B3AB5044DF030120603551D130101FF040830060101FF020103300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100850C5D8EE46F51684205A0DDBB4F27258403BDF764FD2DD730E3A41017EBDA2929B6793F76F6191323B8100AF958A4D46170BD04616A128A17D50ABDC5BC307CD6E90C258D86404FECCCA37E38C637114FEDDD68318E4CD2B30174EEBE755E07481A7F70FF165C84C07985B805FD7FBE6511A30FC002B4F852373904D5A9317A18BFA02AF41299F7A34582E33C5EF59D9EB5C89E7C2EC8A49E4E08144B6DFD706D6B1A63BD64E61FB7CEF0F29F2EBB1BB7F250887392C2E2E3168D9A3202AB8E18DDE91011EE7E35AB90AF3E30947AD0333DA7650FF5FC8E9E62CF47442C015DBB1DB532D247D2382ED0FE81DC326A1EB5EE3CD5FCE7811D19C32442EA6339A9
2656
krakentemp0000.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2656
krakentemp0000.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2920
reg.exe
write
HKEY_CURRENT_USER\Software\Sysinternals\SDelete
3588
reg.exe
write
HKEY_CURRENT_USER\Software\Sysinternals\SDelete
EulaAccepted
1
2276
sdelete.exe
write
HKEY_CURRENT_USER\Software\Sysinternals\SDelete
EulaAccepted
1

Files activity

Executable files
2
Suspicious files
35
Text files
51
Unknown types
3

Dropped files

PID
Process
Filename
Type
2656
krakentemp0000.exe
C:\ProgramData\sdelete.exe
executable
MD5: f41a1afc4cfb95f35cd92da98d90c27b
SHA256: 746de8e02f1e64a707ce060a7d851b5d014698ca8692bd7aa945b40e06b01a07
3060
x.exe
C:\Users\admin\AppData\Local\Temp\krakentemp0000.exe
executable
MD5: b8665cf00d32352ee83ceb189595a753
SHA256: 7e0ee0e707db426eaf25bd0924631db969bb03dd9b13addffbcc33311a3b9aa7
2656
krakentemp0000.exe
C:\Users\admin\Downloads\ENUunVOZEYUrcdgG.0EI3G
binary
MD5: 81c3dcb0a1c01f373be91c0ce785746f
SHA256: db79c0183c01fcab638d6a7e6918efe94534202b433d26f2c1603b674e5ac902
2656
krakentemp0000.exe
C:\ProgramData\Eula.txt
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\ProgramData\Microsoft.zip
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\Public\Recorded TV\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Public\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Public\Videos\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Public\Recorded TV\Sample Media\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Public\Music\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Public\Pictures\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Public\Documents\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Public\Downloads\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Searches\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Videos\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Saved Games\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Pictures\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Links\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Music\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Favorites\MSN Websites\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Favorites\Windows Live\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Favorites\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Favorites\Microsoft Websites\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Favorites\Links for United States\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Downloads\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Favorites\Links\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Desktop\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Documents\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Contacts\fKSupNFdAzkTkCaP.0EI3G
binary
MD5: 5151e9b6453fe9e1c783ed3ed0f502f8
SHA256: f6ef019bb2b22bf7162c1f323f6c018b4d75bfd007639381656ab26e57667ac3
2656
krakentemp0000.exe
C:\Users\Administrator\Contacts\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\Administrator\Contacts\Administrator.contact
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Videos\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Searches\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Saved Games\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Pictures\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Pictures\FWQfTwLPlYodXuPt.0EI3G
binary
MD5: a4b5776db941bb7a36667568544683a4
SHA256: 0aa35800bb8a710301b612be544b9ae7a5166bab736bc7ca958df5bb74a88d8a
2656
krakentemp0000.exe
C:\Users\admin\Pictures\postsmonths.png
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Pictures\lMySTmWJCfFIrgvH.0EI3G
binary
MD5: e92c0e84485b0eeb61a251801fbcd0f9
SHA256: fb6adc8b99e3c5d609466672b78aebf3d76cbd398f27dc16b6b5a52eb37d2d75
2656
krakentemp0000.exe
C:\Users\admin\Pictures\maintenancetests.jpg
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Pictures\fhOPweQBVwsoKlFX.0EI3G
binary
MD5: 31ab1e53650d90358bc126d07106dbbb
SHA256: 12bb60c35d295f2e01affc312aa2a7a1516330dd9e8d9df9d214e9d97b5be95f
2656
krakentemp0000.exe
C:\Users\admin\Pictures\keepparticular.png
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Pictures\aDdMaXKtpOfUeqQm.0EI3G
binary
MD5: 64db83611b584f6502641734aa5acb40
SHA256: dbfb9b3848e3a09faa441eeed6bde0f50a72951b44eeba59cf6d005a8056c799
2656
krakentemp0000.exe
C:\Users\admin\Pictures\interestedwood.png
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Pictures\FtLAaNVoGVvzydvA.0EI3G
binary
MD5: e8c762cd4571e63e00c4ec8c1ebdcc50
SHA256: e68ca41b44489a773620f6b86da1c78b43ee7f09fd5c8a857c8d97465a8a35b4
2656
krakentemp0000.exe
C:\Users\admin\Pictures\heartdetailed.jpg
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Pictures\heartdetailed.jpg
binary
MD5: e24ef137984e4e95798cff7e9b7e8e10
SHA256: 8bf85de70ede50adf341af8ea918ff5d162945d797dae3496aac7ca4949ca34f
2656
krakentemp0000.exe
C:\Users\admin\Pictures\KUKcDLKIQJaqipqi.0EI3G
binary
MD5: c748941ca65978351df225c8deb5ab4c
SHA256: 81978181cc26c5a10a2f5bd384925c83fd83d903682b54c67eaeb8d4064aacb5
2656
krakentemp0000.exe
C:\Users\admin\Pictures\fuckingclasses.png
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Pictures\qKsQDBVDiQrVBcVx.0EI3G
binary
MD5: 8537579e07c92823ccb4e32f98a5b115
SHA256: 578dbcc5f5e19be662e5329a2ebdcbbdde565cf02aaa3cd1ceb26bab5a198bb0
2656
krakentemp0000.exe
C:\Users\admin\Pictures\financiallondon.png
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Music\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Links\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Favorites\Windows Live\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Favorites\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Favorites\MSN Websites\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Favorites\Microsoft Websites\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Favorites\Links for United States\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Favorites\Links\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Downloads\KrFyKcUhlGhLIYWq.0EI3G
binary
MD5: 1c95d1e71d6ac7e0d8553a9063dfc04f
SHA256: d0fbb85546e6230d0c15db7e2f3cacf80953122d2acba53ded620d43fc4f0f0e
2656
krakentemp0000.exe
C:\Users\admin\Downloads\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Downloads\yearmeet.jpg
––
MD5:  ––
SHA256:  ––
2932
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRb2932.12625\2018-10-04_19-37-40.bin
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Downloads\usingelements.png
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Downloads\zjkrQNIQYqHXwirV.0EI3G
binary
MD5: a86be5d406dca243ceb557fa156188d5
SHA256: ea80ba975e43596063418c0a956a9697f391419090e7b70ef0ab8061a820f655
2656
krakentemp0000.exe
C:\Users\admin\Downloads\samewhether.jpg
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Downloads\WurpFJFmhYangLwD.0EI3G
binary
MD5: 755ddb9fd4ead749680bc58f5e41ca67
SHA256: 89b6bc61c519d6a62207a3e76c36426a91f8a940fd07e02f25af92c10a2ca035
2656
krakentemp0000.exe
C:\Users\admin\Downloads\placesfeatures.jpg
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Downloads\tFzotGCIrHuDQnBk.0EI3G
binary
MD5: 372c4b24e4efdc1a0a61ca6eb5601ce0
SHA256: 3755fda0b638a0eba21cd7ad3381ca62a45f572e179ad09a9104fa98712423b6
2656
krakentemp0000.exe
C:\Users\admin\Downloads\iesome.jpg
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Downloads\ZvibuwNDIOKijagz.0EI3G
binary
MD5: a36a75c6571c8fc17adc1b7d5763b9ea
SHA256: 95f33371a10f22bf4dbce1ef77d690527c2ef7bfa0f3ab4963b663f7b414c3f0
2656
krakentemp0000.exe
C:\Users\admin\Downloads\evenchurch.jpg
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Documents\Outlook Files\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Documents\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Documents\Outlook Files\mBHujoQwabmnDwBO.0EI3G
binary
MD5: 2126666972e3f5da9394b8d756632bd5
SHA256: afea3dcb0643c74cc47de203d0d5b5f30e2997f3f3b758ba79e0c8a9c0468683
2656
krakentemp0000.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Documents\Outlook Files\rbFXLlEQlPRenHww.0EI3G
drz
MD5: 073968a4aadf53d69e8f03db4e723dd2
SHA256: 08314bd7cfdb8bb09e6d1ed6ea493511d0b8b8905fa9924235a53fdf83ca84e2
2656
krakentemp0000.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Documents\Outlook Files\EhepAcHJDbtjHdRL.0EI3G
binary
MD5: b8ea8348c59c9bc3e341e1c8140984ba
SHA256: c2ecdcb9073a1e1158fd3ab8f639d912d653c094c1b66f48e0aa59def4f170c4
2656
krakentemp0000.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Documents\Outlook Files\jXMdBTSEUiJOaQwZ.0EI3G
binary
MD5: d59459fe987250fc1668078c7c8738e5
SHA256: c868993e6af311950fe7b4b7f6f4c538244ed6353830aaab1e9da3dd4eb42d3f
2656
krakentemp0000.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Documents\OneNote Notebooks\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Documents\etbZeLMwoAwuuVHp.0EI3G
binary
MD5: 96293f1fe5ed8203c3eb891c84ecb97f
SHA256: a13d0debf46d6c52ecdaac539f794298b79e348b704b11ff46cf11c6f8ed99d2
2656
krakentemp0000.exe
C:\Users\admin\Documents\ncagainst.rtf
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Documents\iUZCHIAQyobkehCX.0EI3G
binary
MD5: b01cb6f1d2df80bc8eaefb1efa7cfa95
SHA256: 3ca5a9aa872ea1a5778c8882db9fec4351217bd8c325d6c6b4e48892881d314d
2656
krakentemp0000.exe
C:\Users\admin\Documents\hostingiraq.rtf
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Documents\huSMTyVMOqgpyksl.0EI3G
binary
MD5: 70f879c1de2203d74b04b5f62db1d4f9
SHA256: 23df36cb01216cd385f249b89ce9545b95c2d9f91bd76cbae3f580bea3982cad
2656
krakentemp0000.exe
C:\Users\admin\Documents\directionsring.rtf
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Desktop\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Desktop\lVQowvJhZdLfhwmT.0EI3G
binary
MD5: 6203a8fc4b5a4b98c0740f35f94fe509
SHA256: 378f646cb8ac50bb35f63bcbb169424bfb07d9db57284664b11647cde98bb272
2656
krakentemp0000.exe
C:\Users\admin\Desktop\tooreports.rtf
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Desktop\RLycwmUbqlcKBiSh.0EI3G
binary
MD5: 5184d532a57bb5e0e3e6784002f958b3
SHA256: d5b1d99f0750b4a75e5aa19afad1889dc9495e2e2a20dfcb43da36b528a49587
2656
krakentemp0000.exe
C:\Users\admin\Desktop\similarrules.rtf
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Desktop\DBnjNkAuCeRbldCQ.0EI3G
binary
MD5: 84740a4e2007ec2fdd039cf7ec93fa41
SHA256: 188d331e5dadde30dc09af6bfcdaa86fafb844e31273962590d76e2295e2659f
2656
krakentemp0000.exe
C:\Users\admin\Desktop\republicchair.png
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Desktop\QHMCCbCoUqtgFzXf.0EI3G
binary
MD5: f999e64dcc643afa1aa3317c8cf0d60c
SHA256: c6e91a7a2d9b52334662eba0cb102143bfbc27a9eb0060f83341a40fb9ad4ee1
2656
krakentemp0000.exe
C:\Users\admin\Desktop\pmcat.rtf
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Desktop\pmcat.rtf
binary
MD5: 4bad4cad71744c97f89ee3529aab7a4d
SHA256: 8ff1685703e27f38c055b30d6d0487395faa03c806af5d6a9754742456270436
2656
krakentemp0000.exe
C:\Users\admin\Desktop\vxupDSOilxKLYmCt.0EI3G
binary
MD5: 8156158664f021bce7de23610168d3ff
SHA256: 8888f61de5383f87e140a71ca3b625a235b15db185e695756c9cecb2121be6c6
2656
krakentemp0000.exe
C:\Users\admin\Desktop\paymentitaly.png
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Desktop\AYsSgPCDwloCIxxc.0EI3G
binary
MD5: 6a41c9fac315660202846b61f0777ae0
SHA256: 7bf2c80b8f7c1e7a61fb98a8e9c7017bcefe1fe5ee9330f231e129013709afcf
2656
krakentemp0000.exe
C:\Users\admin\Desktop\mediashort.png
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Desktop\gObGgFOxNsFhckdq.0EI3G
binary
MD5: 7755ba34a1db00d4e5536611e53350af
SHA256: 176b697681739a87d2de3cbca2af01ca625e465dcd7e3adf574e51b0affa51ec
2656
krakentemp0000.exe
C:\Users\admin\Desktop\ladetail.png
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Desktop\kpZjJCCSYgkXMwYY.0EI3G
bs
MD5: 74762d62f64ab85a45e13fa8743aa79b
SHA256: 59c782d438a93b3884be94f3e67853504856ab3e4414a3a97b80d26d70aad154
2656
krakentemp0000.exe
C:\Users\admin\Desktop\jewelryexecutive.png
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Desktop\QfHXJtNMpoACgiDn.0EI3G
binary
MD5: 03fa3e715e035c379eb85d8d03c0dc29
SHA256: 2227b40b23e079f227970c7aa567663536d439830b618b779bc7b4b82b201dd9
2656
krakentemp0000.exe
C:\Users\admin\Desktop\independentfavorite.rtf
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Desktop\dlgpykQFHAcHzEYC.0EI3G
mp3
MD5: e07ec5c2731b5cab6f5f7de7d2d91a0c
SHA256: ff1b2744273bc627b8fe0aa499643a38843e78873d205b6167a88308db75d72a
2656
krakentemp0000.exe
C:\Users\admin\Desktop\groupsthan.rtf
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Desktop\AwonnhNbRjwXjhdj.0EI3G
binary
MD5: 423a1458598f17a5fa8b787c858ff427
SHA256: c651a8f30515ffb8dba95492d9646eb07c2cabf614c976ca15f73145822c2568
2656
krakentemp0000.exe
C:\Users\admin\Desktop\eventcoffee.jpg
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Desktop\FWmQQeBwcXaOTsYR.0EI3G
binary
MD5: 5e806a1c66cb0ddb769663534a25f58b
SHA256: 65d58299756f957361bf3279166a274433a88b6add287e6e539aae53a4fa62f9
2656
krakentemp0000.exe
C:\Users\admin\Desktop\canadianwed.rtf
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Desktop\canadianwed.rtf
binary
MD5: a726bbb1272a7cfedec3a87a920a4f49
SHA256: c305be52743bc0d8107179ff3b6f85661fb4ae3250ea245456af93073e1837bb
2656
krakentemp0000.exe
C:\Users\admin\Desktop\IXcCFQJMCNKJXIIO.0EI3G
binary
MD5: e32e9315e744624f02394ad591689125
SHA256: 509b1bb3100448d7797a9426f502852ac08f1384d8bb77ece2498aedb37b8c5e
2656
krakentemp0000.exe
C:\Users\admin\Desktop\advicepopulation.jpg
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\Contacts\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\Users\admin\Contacts\MyafhOyhNBpzHTDw.0EI3G
binary
MD5: a85c09adecb2f823c0198b828644e3d8
SHA256: 2dc21478506180a2b056ae1ae598b13380fe58a66ffb712d20771b3b99e6f432
2656
krakentemp0000.exe
C:\Users\admin\Contacts\admin.contact
––
MD5:  ––
SHA256:  ––
2656
krakentemp0000.exe
C:\Users\admin\.oracle_jre_usage\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\PerfLogs\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\PerfLogs\Admin\# How to Decrypt Files-0EI3G.html
html
MD5: 424401f9660f76bbebd9001fff867892
SHA256: f1f91fd4586c406b171fa8a79c80498abb851baf2e42a735e7b949549c85cc72
2656
krakentemp0000.exe
C:\ProgramData\release.bat
text
MD5: 7667166149de0bbdcedc592babcc43d5
SHA256: 2ad05e02ffe4c7c1ee09b063f7547bf6a304d227dccbeab64d0e2bae6234271a
2656
krakentemp0000.exe
C:\ProgramData\sdelete64.exe
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
6
TCP/UDP connections
5
DNS requests
4
Threats
27

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2656 krakentemp0000.exe GET 302 104.28.12.103:80 http://blasze.tk/CN18R3 US
text
malicious
2656 krakentemp0000.exe GET 301 172.217.22.46:80 http://google.com/ US
html
whitelisted
2656 krakentemp0000.exe GET 200 172.217.16.132:80 http://www.google.com/ US
html
whitelisted
2656 krakentemp0000.exe GET 302 104.28.12.103:80 http://blasze.tk/CN18R3 US
text
malicious
2656 krakentemp0000.exe GET 301 172.217.22.46:80 http://google.com/ US
html
whitelisted
2656 krakentemp0000.exe GET 200 172.217.16.132:80 http://www.google.com/ US
html
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2656 krakentemp0000.exe 216.239.38.21:443 Google Inc. US whitelisted
2656 krakentemp0000.exe 104.28.12.103:80 Cloudflare Inc US suspicious
2656 krakentemp0000.exe 172.217.22.46:80 Google Inc. US whitelisted
2656 krakentemp0000.exe 172.217.16.132:80 Google Inc. US whitelisted
2656 krakentemp0000.exe 152.199.19.160:443 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted

DNS requests

Domain IP Reputation
ipinfo.io 216.239.38.21
216.239.32.21
216.239.36.21
216.239.34.21
shared
blasze.tk 104.28.12.103
104.28.13.103
malicious
www.google.com 172.217.16.132
whitelisted
download.sysinternals.com 152.199.19.160
whitelisted

Threats

PID Process Class Message
2656 krakentemp0000.exe A Network Trojan was detected ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2656 krakentemp0000.exe Potential Corporate Privacy Violation ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
2656 krakentemp0000.exe A Network Trojan was detected ET TROJAN [PTsecurity] Kraken Ransomware Start Activity 2
2656 krakentemp0000.exe A Network Trojan was detected SC RANSOMWARE Ransomware Kraken Win32
2656 krakentemp0000.exe A Network Trojan was detected MALWARE [PTsecurity] Kraken Cryptor
2656 krakentemp0000.exe A Network Trojan was detected MALWARE [PTsecurity] Ransomware.Kraken_Cryptor UA
2656 krakentemp0000.exe A Network Trojan was detected MALWARE [PTsecurity] Ransomware.Kraken_Cryptor URL
2656 krakentemp0000.exe Potentially Bad Traffic ET POLICY HTTP Request to a *.tk domain
2656 krakentemp0000.exe A Network Trojan was detected ET TROJAN [PTsecurity] Kraken Ransomware Start Activity 2
2656 krakentemp0000.exe A Network Trojan was detected SC RANSOMWARE Ransomware Kraken Win32
2656 krakentemp0000.exe A Network Trojan was detected MALWARE [PTsecurity] Kraken Cryptor
2656 krakentemp0000.exe A Network Trojan was detected MALWARE [PTsecurity] Ransomware.Kraken_Cryptor UA
2656 krakentemp0000.exe A Network Trojan was detected ET TROJAN [PTsecurity] Kraken Ransomware Start Activity 2
2656 krakentemp0000.exe A Network Trojan was detected SC RANSOMWARE Ransomware Kraken Win32
2656 krakentemp0000.exe A Network Trojan was detected MALWARE [PTsecurity] Kraken Cryptor
2656 krakentemp0000.exe A Network Trojan was detected MALWARE [PTsecurity] Ransomware.Kraken_Cryptor UA
2656 krakentemp0000.exe A Network Trojan was detected ET TROJAN Kraken Ransomware End Activity
2656 krakentemp0000.exe A Network Trojan was detected SC RANSOMWARE Ransomware Kraken Win32
2656 krakentemp0000.exe A Network Trojan was detected MALWARE [PTsecurity] Ransomware.Kraken_Cryptor HTTP Header
2656 krakentemp0000.exe A Network Trojan was detected ET TROJAN Kraken Ransomware End Activity
2656 krakentemp0000.exe A Network Trojan was detected SC RANSOMWARE Ransomware Kraken Win32
2656 krakentemp0000.exe A Network Trojan was detected MALWARE [PTsecurity] Ransomware.Kraken_Cryptor URL
2656 krakentemp0000.exe A Network Trojan was detected MALWARE [PTsecurity] Ransomware.Kraken_Cryptor HTTP Header
2656 krakentemp0000.exe Potentially Bad Traffic ET POLICY HTTP Request to a *.tk domain
2656 krakentemp0000.exe A Network Trojan was detected ET TROJAN Kraken Ransomware End Activity
2656 krakentemp0000.exe A Network Trojan was detected SC RANSOMWARE Ransomware Kraken Win32
2656 krakentemp0000.exe A Network Trojan was detected MALWARE [PTsecurity] Ransomware.Kraken_Cryptor HTTP Header

Debug output strings

No debug info.